Microsoft opens up bug bounty programme for online services

The rewards users receive will be based on the "detail, quality and complexity" of the discovered vulnerability, says Microsoft

Microsoft is to offer rewards to anyone who discovers bugs within many of its online services.

Dubbed the 'Microsoft Online Services Bug Bounty Program', the company kicked off the scheme earlier this week, saying anyone submitting a bug is eligible for a minimum payment of $500 (340).

According to the post on Technet, bugs can include any vulnerabilities discovered in its Office, Outlook 365 and Office 365 for business email services applications, Sharepoint, Lync, Yammer and other services that belong to Microsoft.

Bounties will be paid out to anyone discovering cross site scripting (XSS), cross site request forgery (CSRF), unauthorised cross-tenant data tampering or access (for multi-tenant services), insecure direct object references, injection and authentication flaws, server-side code execution, privilege escalation and significant security misconfiguration vulnerabilities.

Advertisement - Article continues below

A number of vulnerabilities have, however, been blacklisted including bugs that only affect unsupported browsers and plugins and those that would not necessarily pose a risk to people using its services in a regular way. Microsoft will also not pay out if a Denial of Service (DoS) attack is discovered.

Microsoft encourages those who wish to mine for bugs to set up test accounts for security testing rather than use live ones. 

Depending on the severity of the bug, Microsoft will vary its payments, but the company says the minimum paid out will be $500 (340). However, the "detail, quality, and complexity of the vulnerability" will also be considered in determining the level of payment.

Some of the biggest tech companies around the world already offer rewards to researchers or regular users who uncover bugs or vulnerabilities. Twitter recently announced it would pay around $140 (85) for every security flaw its users find, while Yahoo came under fire for offering just $12.50 (7.65) in its scheme.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now



Microsoft Surface Laptop 3 13in review: Almost the perfect laptop

6 Dec 2019

Microsoft Surface Laptop 3 15in review: Ryzen falls

4 Dec 2019

The IT Pro Podcast: Is the future multi-cloud?

29 Nov 2019

Microsoft Teams surpasses 20 million daily users

20 Nov 2019

Most Popular

identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019

Five signs that it’s time to retire IT kit

29 Nov 2019

Where modernisation and sustainability meet: A tale of two benefits

25 Nov 2019