Now every part of Windows is covered by a bug bounty scheme.

Microsoft today announced a new bug bounty scheme that would see anyone finding a security flaw in Windows eligible for a payout of up to $15,000.

The company has been running bug bounty schemes, wherein security researchers are financially rewarded for discovering and reporting exploitable flaws, since 2013. Back then, it was paying up to $11,000 for bugs in Internet Explorer 11. In the years since then, Microsoft's bounty schemes have expanded with specific programs offering rewards for those finding flaws in the Hyper-V hypervisor, Windows' wide range of exploit mitigation systems such as DEP and ASLR, and the Edge browser.

Many of these bounty programs were time limited, covering software during its beta/development period but ending once it was released. This structure is an attempt to attract greater scrutiny before exploits are distributed to regular end-users. Last month, the Edge bounty program was made an on-going, continuous scheme no longer tied to any particular timeframe.

The bounty scheme announced today does not replace those focus areas. Edge, the Windows mitigation techniques, Hyper-V, and Windows Defender App Guard all have their own focused bounty schemes. Rather, it acts as a catch-all for the rest of Windows. A researcher finding and reporting a remote code execution flaw in Windows with a high quality proof of concept can find themselves eligible for a $15,000 payout. Elevation of privilege can yield $10,000, and even information disclosure, denial of service, and spoofing can produce rewards of up to $5,000.

The targeted schemes can be more lucrative. A full exploit for Hyper-V that enables a malicious or attacker controlled virtual machine to cause the hypervisor itself to execute arbitrary code will produce a payout of up to $250,000. An exploit that can bypass the full range of exploit mitigation techniques can earn up to $100,000.