Microsoft launches Online Services Bug Bounty Program, includes Office 365 with rewards starting at $500

Microsoft today launched the Microsoft Online Services Bug Bounty Program, offering security researchers rewards for submitted vulnerabilities. The program encompasses the various Online Services provided by Microsoft, and bounties for qualified submissions start at a minimum payment of $500, with more offered depending on the impact of the vulnerability.

Eligible submissions include vulnerabilities of the following types: Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), unauthorized cross-tenant data tampering or access (for multi-tenant services), insecure direct object references, injection flaws, authentication flaws, server-side code execution, privilege escalation and significant security misconfiguration. That being said, as with any such program, bounties are paid at the discretion of the company.

Any of the following domains are available for hacking as part of the program:

• portal.office.com
• *.outlook.com (Office 365 for business email services applications, excluding any consumer “outlook.com” services)
• outlook.office365.com
• login.microsoftonline.com
• *.sharepoint.com
• *.lync.com
• *.officeapps.live.com
• www.yammer.com
• api.yammer.com
• adminwebservice.microsoftonline.com
• provisioningapi.microsoftonline.com
• graph.windows.net

Microsoft says it plans to bring more from its online services groups into the program. The goal is the same as with any bug bounty program: uncover unknown issues to protect customers as quickly as possible.

That being said, the company also provides a list of vulnerabilities that will not earn a bounty reward:

• Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”).
• Server-side information disclosure such as IPs, server names and most stack traces.
• Bugs in the web application that only affect unsupported browsers and plugins.
• Bugs used to enumerate or confirm the existence of users or tenants.
• Bugs requiring unlikely user actions.
• URL Redirects (unless combined with another flaw to produce a more severe vulnerability).
• Vulnerabilities in platform technologies that are not unique to the online services in question (Apache or IIS vulnerabilities, for example).
• ”Cross Site Scripting” bugs in SharePoint that require “Designer” or higher privileges in the target’s tenant.
• Low impact CSRF bugs (such as logoff).
• Denial of Service issues.
• Cookie replay vulnerabilities.

You can report both eligible and ineligible vulnerabilities in Microsoft products and services to secure@microsoft.com.

See also – Microsoft expands $100,000 bug bounty from just security researchers to groups, responders, and forensic experts and Microsoft and Facebook sponsor Internet Bug Bounty program, offer cash for hacking the Internet stack

Image credit: Tracy Olson