Bug bounty programs, which pay hackers and technically savvy folks to find and discover security flaws in software, have proven to become quite popular in the tech industry over the past few years. Apple, Google, and Microsoft, all have Bug Bounty Programs, and today word has gotten out that Microsoft has doubled the payout in some of their Bug Bounty programs from $15k to $30k in limited time offer (via FossBeta.com)
Overall, the increase to 30k bug bounty is limited to Microsoft Office 365 Portal and Microsoft Exchange Online, but it is still good to see that the company is giving extra incentive. You may find the full details on this latest bug bounty below:
Qualified submissions are eligible for a minimum payment of $500 USD up to a maximum of $15,000 USD. Bounties will be paid out at Microsoft’s discretion based on the impact of the vulnerability. From March 1, 2017 to May 1, 2017, any eligible vulnerability submitted for Microsoft Office 365 Portal and Microsoft Exchange Online will be eligible for double rewards. Hence, any qualified vulnerability found in the domains below will receive up to $30,000 USD if it’s submitted between March 1 and May 1, 2017.
Qualified domains for the $30,000 include portal.office.com, outlook.office365.com, outlook.office.com, and outlook.com. Eligible vulnerbaility types cover a ride range of areas, including the following.
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Unauthorized cross-tenant data tampering or access (for multi-tenant services)
- Insecure direct object references
- Injection Vulnerabilities
- Authentication Vulnerabilities
- Server-side Code Execution
- Privilege Escalation
- Significant Security Misconfiguration (when not caused by user)
It’s great to see that Microsoft is taking security seriously, especially given the fact that Google recently outed Microsoft with security flaws in the IE/Edge browser and in Windows.