Want to keep the TNW Conference vibe going?? Tickets for TNW2022 are available now >>

The heart of tech

This article was published on September 23, 2014

Microsoft launches Online Services Bug Bounty Program, includes Office 365 with rewards starting at $500

Microsoft launches Online Services Bug Bounty Program, includes Office 365 with rewards starting at $500
Emil Protalinski
Story by

Emil Protalinski

Emil was a reporter for The Next Web between 2012 and 2014. Over the years, he has covered the tech industry for multiple publications, incl Emil was a reporter for The Next Web between 2012 and 2014. Over the years, he has covered the tech industry for multiple publications, including Ars Technica, Neowin, TechSpot, ZDNet, and CNET. Stay in touch via Facebook, Twitter, and Google+.

Microsoft today launched the Microsoft Online Services Bug Bounty Program, offering security researchers rewards for submitted vulnerabilities. The program encompasses the various Online Services provided by Microsoft, and bounties for qualified submissions start at a minimum payment of $500, with more offered depending on the impact of the vulnerability.

Eligible submissions include vulnerabilities of the following types: Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), unauthorized cross-tenant data tampering or access (for multi-tenant services), insecure direct object references, injection flaws, authentication flaws, server-side code execution, privilege escalation and significant security misconfiguration. That being said, as with any such program, bounties are paid at the discretion of the company.

Any of the following domains are available for hacking as part of the program:

  • portal.office.com
  • *.outlook.com (Office 365 for business email services applications, excluding any consumer “outlook.com” services)
  • outlook.office365.com
  • login.microsoftonline.com
  • *.sharepoint.com
  • *.lync.com
  • *.officeapps.live.com
  • www.yammer.com
  • api.yammer.com
  • adminwebservice.microsoftonline.com
  • provisioningapi.microsoftonline.com
  • graph.windows.net

Microsoft says it plans to bring more from its online services groups into the program. The goal is the same as with any bug bounty program: uncover unknown issues to protect customers as quickly as possible.

That being said, the company also provides a list of vulnerabilities that will not earn a bounty reward:

  • Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”).
  • Server-side information disclosure such as IPs, server names and most stack traces.
  • Bugs in the web application that only affect unsupported browsers and plugins.
  • Bugs used to enumerate or confirm the existence of users or tenants.
  • Bugs requiring unlikely user actions.
  • URL Redirects (unless combined with another flaw to produce a more severe vulnerability).
  • Vulnerabilities in platform technologies that are not unique to the online services in question (Apache or IIS vulnerabilities, for example).
  • ”Cross Site Scripting” bugs in SharePoint that require “Designer” or higher privileges in the target’s tenant.
  • Low impact CSRF bugs (such as logoff).
  • Denial of Service issues.
  • Cookie replay vulnerabilities.

You can report both eligible and ineligible vulnerabilities in Microsoft products and services to [email protected].

See alsoMicrosoft expands $100,000 bug bounty from just security researchers to groups, responders, and forensic experts and Microsoft and Facebook sponsor Internet Bug Bounty program, offer cash for hacking the Internet stack

Image credit: Tracy Olson