Microsoft today announced the significant expansions to the Microsoft Bounty Programs which rewards developers and security researchers for finding security bugs in Microsoft’s products and services. Microsoft is adding Azure, Project Spartan and Sway.com to this program list.
- Azure is Microsoft’s cloud platform and the backbone of Microsoft cloud services.
- This program will include a number of Azure services, such as: Azure virtual machines, Azure Cloud Services, Azure Storage, Azure Active Directory and much more
- Sway.com is a web application that lets users express ideas in an entirely new way across many devices and platforms
- Raising the maximum payout for the Online Services Bounty Program
- We will pay up to $15,000 USD for critical bugs, as always, more for more impactful and better documented bugs.
- Project Spartan Bug Bounty
- Microsoft’s new browser will be the onramp to the internet for millions of users when Windows 10 launches later this year. Securing this platform is a top priority for the browser team.
- This bounty includes Remote Code Execution and Sandbox Escapes, as well as design-level security bugs.
- Always be sure to use the latest version released in the Windows 10 Technical Preview
- Microsoft will pay up to $15,000 USD for security vulnerabilities reported in Project Spartan, you can see the specifics in the program terms. Don’t hesitate as the Project Spartan Bug Bounty will run from April 22, 2015 to June 22, 2015
- The bounties for Spartan are tiered by the criticality of the issue reported, as well as the quality of the documentation and how reproducible the issue is.
Microsoft already has the Mitigation Bypass bounty and the Bonus bounty for Defense which offers up to $100,000 USD for novel methods to bypass active mitigations (e.g. ASLR and DEP) in th latest released version of operating system (currently Windows 8.1 and Server 2012 R2) and a bonus of up to $50,000 USD for actionable defense techniques to the reported bypass. There is one addition to the Mitigation bypass bounty:
- Hyper-V escape
- Guest-to-Host DoS (non-distributed, from a single guest)