The Bug Bounty Program by Microsoft is considered to be an innovative and great initiative. In this program, Microsoft has asked developers, programmers, researchers and even hackers across the globe to join hands with Microsoft in finding certain types of exploitation techniques and vulnerabilities. The submissions which are qualified will receive a minimum USD 500. Microsoft mentioned that the bounties will be paid at Microsoft’s discretion and it will be determined on the basis of the impact of the vulnerability.
Microsoft Online Services Bug Bounty Program
Microsoft has launched the Microsoft Online Services Bug Bounty program which begun with Office 365.
On the official blog, Microsoft mentioned about the online services, Bug Bounty program as,
“Office 365 is the first of our online services groups to launch a bounty for vulnerabilities found in their services and we will bring others into the program as we go forward.”
What can be called as the eligible submission in the Bug Bounty program
Microsoft explains what can be considered as an eligible submission in the Bug Bounty program.
“Generally, bounties will be paid for significant web application vulnerabilities found in eligible online service domains. Additionally, in order for submissions to be processed as quickly as possible and to ensure the highest payment for the type of vulnerability being reported, submissions should include concise repro steps that are easily understood.”
Microsoft also mentioned a list of vulnerabilities, which can be called as the eligible submissions. The list goes as follows:
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Unauthorized cross-tenant data tampering or access (for multi-tenant services)
- Insecure direct object references
- Injection Vulnerabilities
- Authentication Vulnerabilities
- Server-side Code Execution
- Privilege Escalation
- Significant Security Misconfiguration
You can read the detailed information about the Bug Bounty Program at Microsoft.