Microsoft Announces Online Services Bug Bounty Program To Reward And Recognize Security Researchers

Microsoft Security

Microsoft today announced the launch of the Microsoft Online Services Bug Bounty Program. With this program, security researchers will have the opportunity to earn a bounty on submitted vulnerabilities for participating Online Services provided by Microsoft. Generally, bounties will be paid for significant web application vulnerabilities found in eligible online service domains.

Eligible submissions will include vulnerabilities of the following types:

  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Unauthorized cross-tenant data tampering or access (for multi-tenant services)
  • Insecure direct object references
  • Injection Flaws
  • Authentication Flaws
  • Server-side Code Execution
  • Privilege Escalation
  • Significant Security Misconfiguration

Microsoft reserves the right to reject any submission at our sole discretion that we determine does not meet the above criteria.

Additionally, only vulnerabilities reported in the following domains are eligible for bug bounty payments and allow for testing as described in these terms:

  • portal.office.com
  • *.outlook.com (Office 365 for business email services applications, excluding any consumer “outlook.com” services)
  • outlook.office365.com
  • login.microsoftonline.com
  • *.sharepoint.com
  • *.lync.com
  • *.officeapps.live.com
  • www.yammer.com
  • api.yammer.com
  • adminwebservice.microsoftonline.com
  • provisioningapi.microsoftonline.com
  • graph.windows.net

Read more about it here and here.

Some links in the article may not be viewable as you are using an AdBlocker. Please add us to your whitelist to enable the website to function properly.

Related
Comments