Microsoft has just announced that it’s doubling the bounties offered to security researchers who discover vulnerabilities in its Office 365 services, with the maximum reward now accounting for $30,000.
The company says that this increase in bounty value is valid between March 1 and May 1 this year, and covers vulnerabilities discovered in Exchange Online and Office 365 Admin portal, with the following domains included: portal.office.com, outlook.office365.com, outlook.office.com, outlook.live.com, and *.outlook.com.
“These properties are core web applications in the Office 365 suite. Securing Exchange Online, Microsoft’s hosted enterprise e-mail solution, is vital to customer security as it is the gateway to accessing critical user information such as email, calendars, contacts and tasks for any endpoint device. Office 365 admin portal is the web management interface for managing tenant access. This portal is an important piece in protecting tenants and tenant admins from compromise,” Microsoft explains
Previously, Microsoft was offering bounties between $500 and $15,000, and after the increase, researchers can get between $1,000 and $30,000.
Supported vulnerabilitiesThe following vulnerabilities are eligible for the program: Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Unauthorized cross-tenant data tampering or access (for multi-tenant services), Insecure direct object references, Injection Vulnerabilities, Authentication Vulnerabilities, Server-side Code Execution, Privilege Escalation, Significant Security Misconfiguration (when not caused by user).
The Microsoft Online Services Bug Bounty program was first launched by Microsoft in September 2014 and then expanded in April and August 2015 to include additional services. The effort covers Microsoft Office 365 Portal and Microsoft Exchange Online and is being used by Microsoft to find and patch security flaws in its services with help from experts across the world who can report their findings to the company in exchange for a certain financial reward.
Doubling the bounties is definitely an efficient way to encourage researchers to increase their bug hunting efforts, and if you’re willing to participate as well make sure that you check all terms of the service here .
