Tweet
Written by Sue Gee
Microsoft has launched a bug bounty program covering its Online Services, starting with Office 365. Rewards for qualified submissions start at $500.
Microsoft already has an established Bug Bounty Program, including the Mitigation Bypass Bounty program which pays up to $100,000 USD for novel exploitation techniques against protections built into its newest operating systems and the BlueHat Bonus for Defense, an additional uo to $50,000 for defensive ideas that accompany a qualifying Mitigation Bypass submission.
Now it is extending the idea of paying for vulnerability reports to its online service stating:
Being ahead of the game by identifying the exploit techniques in our widely used services helps make our customer’s environment more secure.
Qualified submissions for the Online Services Bug Bounty will be eligible for a minimum payment of $500 with the provision:
Bounties will be paid out at Microsoft’s discretion based on the impact of the vulnerability.
Eligible submissions include vulnerabilities of the following types:
The program is restricted to the following domains:
You also need to be aware of the rules governing the testing of the above bounty-eligible online services. The terms and conditions state:
You must create test accounts, and test tenants, for security testing and probing. For Office 365 services, you can set up your test account here. In all cases, where possible, include the string "MSOBB" in your account name and/or tenant name in order to identify a tenant as being in use for the bug bounty program.
Additionally all the following are prohibited:
So is $500 enough for going to so much trouble? Well, it is a minimum, and Microsoft has a record of paying substantial sums for critical bugs.
More Information
Bug Bounty Evolution: Online Services
Microsoft Bounty Programs
Related Articles
Microsoft Extends Bounty
Bounty Hunter Awarded $100,000
Microsoft Offers $100,000 For Novel Exploits
Microsoft and Facebook Launch Internet Bug Bounty Scheme
Google Offers Cash For Security Patches
Microsoft has launched a bug bounty program covering its Online Services, starting with Office 365. Rewards for qualified submissions start at $500.
Microsoft already has an established Bug Bounty Program, including the Mitigation Bypass Bounty program which pays up to $100,000 USD for novel exploitation techniques against protections built into its newest operating systems and the BlueHat Bonus for Defense, an additional uo to $50,000 for defensive ideas that accompany a qualifying Mitigation Bypass submission.
Now it is extending the idea of paying for vulnerability reports to its online service stating:
Being ahead of the game by identifying the exploit techniques in our widely used services helps make our customer’s environment more secure.
Qualified submissions for the Online Services Bug Bounty will be eligible for a minimum payment of $500 with the provision:
Bounties will be paid out at Microsoft’s discretion based on the impact of the vulnerability.
Eligible submissions include vulnerabilities of the following types:
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Unauthorized cross-tenant data tampering or access (for multi-tenant services)
- Insecure direct object references
- Injection Vulnerabilities
- Authentication Vulnerabilities
- Server-side Code Execution
- Privilege Escalation
- Significant Security Misconfiguration
The program is restricted to the following domains:
- portal.office.com
- *.outlook.com (Office 365 for business email services applications, excluding any consumer “outlook.com” services)
- outlook.office365.com
- login.microsoftonline.com
- *.sharepoint.com - excluding user-generated content
- *.lync.com
- *.officeapps.live.com
- www.yammer.com
- api.yammer.com
- adminwebservice.microsoftonline.com
- provisioningapi.microsoftonline.com
- graph.windows.net
You also need to be aware of the rules governing the testing of the above bounty-eligible online services. The terms and conditions state:
You must create test accounts, and test tenants, for security testing and probing. For Office 365 services, you can set up your test account here. In all cases, where possible, include the string "MSOBB" in your account name and/or tenant name in order to identify a tenant as being in use for the bug bounty program.
Additionally all the following are prohibited:
- Any kind of Denial of Service testing.
- Performing automated testing of services that generates significant amounts of traffic.
- Gaining access to any data that is not wholly your own. For example, you are allowed to and encouraged to create a small number of test accounts and/or trial tenants for the purpose of demonstrating and proving cross-account or cross-tenant data access. However, it is prohibited to use one of these trial accounts to access the data of a legitimate customer or account.
- Moving beyond "proof of concept" repro steps for server-side execution issues (i.e. proving that you have sysadmin access with sqli is acceptable, running xp_cmdshell is not).
- Attempting phishing or other social engineering attacks against our employees.
So is $500 enough for going to so much trouble? Well, it is a minimum, and Microsoft has a record of paying substantial sums for critical bugs.
More Information
Bug Bounty Evolution: Online Services
Microsoft Bounty Programs
Related Articles
Microsoft Extends Bounty
Bounty Hunter Awarded $100,000
Microsoft Offers $100,000 For Novel Exploits
Microsoft and Facebook Launch Internet Bug Bounty Scheme
Google Offers Cash For Security Patches
Comment