Microsoft today announced the launch of the Microsoft Online Services Bug Bounty Program. With this program, security researchers will have the opportunity to earn a bounty on submitted vulnerabilities for participating Online Services provided by Microsoft. Generally, bounties will be paid for significant web application vulnerabilities found in eligible online service domains.
Eligible submissions will include vulnerabilities of the following types:
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Unauthorized cross-tenant data tampering or access (for multi-tenant services)
- Insecure direct object references
- Injection Flaws
- Authentication Flaws
- Server-side Code Execution
- Privilege Escalation
- Significant Security Misconfiguration
Microsoft reserves the right to reject any submission at our sole discretion that we determine does not meet the above criteria.
Additionally, only vulnerabilities reported in the following domains are eligible for bug bounty payments and allow for testing as described in these terms:
- *.outlook.com (Office 365 for business email services applications, excluding any consumer “outlook.com” services)