IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft announces lucrative new bug bounty awards for M365 products and services

The new awards will focus on scenario-based weaknesses and offer bonuses of up to 30% for the most severe bugs

Microsoft has announced two brand-new awards for its Microsoft 365 bug bounty programmes, offering the highest potential payouts for eligible submissions.

The two new awards focus on scenario-based bugs, Microsoft said and will be available to the Dynamics 365 and Power Platform Bounty Program and the M365 Bounty Program.

The most severe bugs that could be used in high-impact scenarios will be awarded the biggest payouts with the potential for a 30% bonus on top of the vulnerability itself.

Microsoft lists several examples of high-impact scenarios in which it’s looking for reported bugs. Remote code execution (RCE) flaws attract the most lucrative payouts and the full 30% bonus, in some cases, while others such as privilege escalation issues, information disclosure, spoofing, tampering, and denial of service (DoS) bugs also lead to awards.

In Microsoft’s most recent ‘Patch Tuesday’, issued last week, a total of 145 vulnerabilities were addressed and the majority of these were privilege escalation and RCE issues.

RCE vulnerabilities accounted for close to a third of all the bugs that were patched, three of which were rated 9.8/10 for severity and two were wormable.

The severity of the reported bug, combined with the quality of the report itself and whether it can be executed in a high-impact scenario all impact the overall payout.

There are six total scenarios Microsoft earmarked for bonuses, five of which are exclusive to the M365 Bounty Program. Each one has a unique common weakness enumeration (CWE) code with additional bonuses ranging between 15-30% of the initial bug’s reward.

The Dynamics 365 and Power Platform Bounty Program has just the one high-impact scenario which is ‘cross-tenant information disclosure’ - a condition that warrants a maximum reward of $20,000 if met.

Microsoft added scenario-based rewards to its cloud security bug bounty programs in October last year, offering larger bonuses of up to 50% and a total value of $60,000 for the most severe flaws affecting Azure services.

Cross-tenant data leakage in Azure Synapse Analytics, and compromise logging or auditing keys in Key Vault, were both made eligible for the maximum bonuses at the time.

The company announced in July last year that it awarded a total of $13.6 million in bug bounty payouts in the previous one-year period, a figure three times greater than what it awarded in 2019.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Windows 11's nifty new search feature has one major downside
Microsoft Windows

Windows 11's nifty new search feature has one major downside

23 May 2022
Microsoft says it's provided over $100 million in tech support to Ukrainian government
cyber attacks

Microsoft says it's provided over $100 million in tech support to Ukrainian government

20 May 2022
Microsoft to double salary budget to retain workers
Careers & training

Microsoft to double salary budget to retain workers

17 May 2022
Microsoft warns of new botnet variant targeting Windows and Linux systems
Security

Microsoft warns of new botnet variant targeting Windows and Linux systems

16 May 2022

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022