14 DAY TRIAL // Microsoft isn’t quite the biggest fan of bug bounty programs, but the company has slowly migrated towards this new approach with some recent vulnerability payouts.
Today, the company makes a new step towards a full-scale bug bounty campaign with a program that’s aimed at its online services, including Outlook.com, OneDrive, and Office 365.
The first in the lineup is Office 365, with the very first bug bounty starting today from $500 (€389.12), with cash payouts to be paid out “at Microsoft’s discretion based on the impact of the vulnerability,” as the company said in an announcement.
Basically, the one thing that you need to do is find security vulnerability in Office 365, report them to Microsoft and get paid.
Not all vulnerabilities are accepted
And still, not everyone is eligible for a cash reward, and Microsoft says that only the following vulnerabilities will be considered for a bounty:
Cross Site Scripting (XSS) Cross Site Request Forgery (CSRF) Unauthorized cross-tenant data tampering or access (for multi-tenant services) Insecure direct object references Injection Flaws Authentication Flaws Server-side Code Execution Privilege Escalation Significant Security Misconfiguration
At the same time, the company also adds that only the following domains must the subject of your submissions, so in case you find a different security bug in any other domain, you might not get any cash reward:
portal.office.com *.outlook.com (Office 365 for business email services applications, excluding any consumer “outlook.com” services) outlook.office365.com login.microsoftonline.com *.sharepoint.com *.lync.com *.officeapps.live.com www.yammer.com api.yammer.com adminwebservice.microsoftonline.com provisioningapi.microsoftonline.com graph.windows.net
How to submit a security bug
If you do find a security vulnerability in one of the aforementioned domains and you think that you might qualify for a reward, all you need to do is send your complete submission to [email protected]. Once you’re done, you should receive a confirmation mail informing that Microsoft received your submission.
Microsoft will then verify all security submissions and decide who gets paid for their findings, but the time varies depending on the number of bugs and complexity.
You should then receive an email including paperwork and other information required for you to receive your money, but again, this could also take a lot of time depending on several factors.
“The detail, quality, and complexity of the vulnerability will also be considered in making a determination. Microsoft retains sole discretion in determining which submissions are qualified. The minimum bounty paid for a qualified submission will be $500 USD. There are no restrictions on the number of qualified submissions an individual submitter can provide and be paid for,” Microsoft says.
In order to participate in this program, you need to be 14 years of age or older, with no restriction to your location whatsoever.