Microsoft announces ‘Online Services Bug Bounty Program’


Microsoft on Tuesday announced the Microsoft Online Services Bug Bounty Program which offers rewards starting at $500 for “significant web application vulnerabilities found in eligible online service domains.”

Outlook, Office365, Yammer, SharePoint and Lync are some of the participating online services included in the Bug Bounty Program.

According to Microsoft’s terms and conditions for the bug bounty program, Cross-site scripting (XSS), cross-site request forgery (CSRF), cross-tenant data tampering, insecure direct object references, injection flaws, authentication flaws, server-side code execution, privilege escalation, and security misconfigurations are the vulnerability types that are eligible for bounties under the program.

Under the Bug Bounty Program, researchers will be offered a minimum reward of $500 for every qualified vulnerability they submit. The amount could even be more if Microsoft deems it a high-impact flaw.

Microsoft has also issued a list of “flaws” which don’t qualify for the reward program. The list includes:

  • Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”).
  • Server-side information disclosure such as IPs, server names and most stack traces.
  • Bugs in the web application that only affect unsupported browsers and plugins.
  • Bugs used to enumerate or confirm the existence of users or tenants.
  • Bugs requiring unlikely user actions.
  • URL Redirects (unless combined with another flaw to produce a more severe vulnerability).
  • Vulnerabilities in platform technologies that are not unique to the online services in question (Apache or IIS vulnerabilities, for example).
  • “Cross Site Scripting” bugs in SharePoint that require “Designer” or higher privileges in the target’s tenant.
  • Low impact CSRF bugs (such as logoff).
  • Denial of Service issues.
  • Cookie replay vulnerabilities.

Microsoft announced its first three bug bounty programs last June, offering researchers rewards of up to $150,000 in cash for finding flaws in Windows 8 and Internet Explorer 1.