14 DAY TRIAL // Microsoft has just launched a new bug bounty program, this time aimed at users who are running Office Insider builds as part of the Slow ring.
Specifically, Microsoft is willing to pay up to $15,000 for security vulnerabilities that are discovered in Office 2016 builds released to Slow ring users running the latest and fully patched version of Windows 10.
Microsoft says that although payments are ranging between $500 and $15,000, it could offer a bounty that goes beyond this threshold, but it all depends on how complex and well documented the vulnerability that researchers discover in its productivity suite is.
Eligible vulnerabilities
There are three different security flaws that Microsoft is particularly interested in, namely elevation of privilege via the Office Protected View sandbox (excluding vulnerabilities in components and libraries not installed by Office or AppContainer sandbox, that are applicable to any application using them), macro execution by bypassing security policies to block Office macros in Word, Excel, and PowerPoint, and code execution in Outlook.
The flaws that qualify for the biggest payment are elevation of privilege with a high report quality and proof of concept and macro execution with the same requirements.
The bug bounty program runs from March 15 through June 15 and only covers the desktop version of the Office productivity suite running on Windows.
“Bounties will be paid out at Microsoft’s sole discretion based on the quality and complexity of the vulnerability. Certain submissions may be eligible for bounties of more than $15,000,” Microsoft explains.
If you’re interested in participating in the program, the first thing you have to do is register for the Office Insider program here and download the most recent Slow ring build. Also, make sure that your computer is running a fully up-to-date Windows 10 version (which at this point is the Anniversary Update with the March 2017 updates installed).