Microsoft opens up bug bounty programme for online services

The rewards users receive will be based on the "detail, quality and complexity" of the discovered vulnerability, says Microsoft

Microsoft is to offer rewards to anyone who discovers bugs within many of its online services.

Dubbed the 'Microsoft Online Services Bug Bounty Program', the company kicked off the scheme earlier this week, saying anyone submitting a bug is eligible for a minimum payment of $500 (340).

According to the post on Technet, bugs can include any vulnerabilities discovered in its Office, Outlook 365 and Office 365 for business email services applications, Sharepoint, Lync, Yammer and other services that belong to Microsoft.

Bounties will be paid out to anyone discovering cross site scripting (XSS), cross site request forgery (CSRF), unauthorised cross-tenant data tampering or access (for multi-tenant services), insecure direct object references, injection and authentication flaws, server-side code execution, privilege escalation and significant security misconfiguration vulnerabilities.

Advertisement - Article continues below
Advertisement - Article continues below

A number of vulnerabilities have, however, been blacklisted including bugs that only affect unsupported browsers and plugins and those that would not necessarily pose a risk to people using its services in a regular way. Microsoft will also not pay out if a Denial of Service (DoS) attack is discovered.

Microsoft encourages those who wish to mine for bugs to set up test accounts for security testing rather than use live ones. 

Depending on the severity of the bug, Microsoft will vary its payments, but the company says the minimum paid out will be $500 (340). However, the "detail, quality, and complexity of the vulnerability" will also be considered in determining the level of payment.

Some of the biggest tech companies around the world already offer rewards to researchers or regular users who uncover bugs or vulnerabilities. Twitter recently announced it would pay around $140 (85) for every security flaw its users find, while Yahoo came under fire for offering just $12.50 (7.65) in its scheme.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


cloud computing

Microsoft has an edge on AWS, according to IT executives

8 Jan 2020

The IT Pro Products of the Year 2019: All the year’s best hardware

24 Dec 2019

Microsoft Surface Laptop 3 13in review: Almost the perfect laptop

6 Dec 2019

Microsoft Surface Laptop 3 15in review: Ryzen falls

4 Dec 2019

Most Popular

public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020