Microsoft has announced updates to its Microsoft 365 (M365) Bug Bounty Program, offering expanded services, clearer guidelines, and bounty rewards ranging from $500 to a significant $27,000.
The initiative reflects Microsoft’s ongoing commitment to cybersecurity and enlisting global security researchers to enhance user safety.
The Microsoft 365 Bounty Program invites security researchers worldwide to uncover and report vulnerabilities in specific M365 services and products, such as Office 365 and Microsoft Account.
.png
)
With a focus on tackling critical vulnerabilities, the program ensures the reported issues directly and demonstrably impact user security.
Researchers whose findings meet the program’s stringent criteria stand a chance to earn considerable financial rewards.
Expanded Rewards and High-Impact Scenarios
Eligible submissions under the program can earn researchers rewards ranging from $500 for moderate issues to a maximum of $27,000 for critical vulnerabilities.
High-impact scenarios, such as remote code execution (CWE-94 or CWE-502), cross-tenant sensitive data leakage, or bypassing authentication via “confused deputy” server requests (CWE-918), can fetch additional rewards, with bonuses ranging from 15% to 80%.
Microsoft further incentivizes submissions during its “Zero Day Quest” event, increasing awards by up to 50%.
Focus on Critical Vulnerabilities
Submissions must identify previously unknown vulnerabilities in in-scope services and provide a clear, reproducible proof of concept (PoC).
Accepted issues typically include cross-site scripting (XSS), insecure deserialization, SQL injection, server-side code execution, and cross-tenant data tampering.
Reports must include concise testing steps, enabling Microsoft’s engineering teams to swiftly resolve the vulnerabilities.
Microsoft emphasizes ethical practices in vulnerability testing. Researchers are encouraged to set up test accounts and tenants for probing but must avoid accessing unauthorized data, performing denial-of-service attacks, or engaging in phishing or social engineering tactics.
The program scope is strictly limited to technical vulnerabilities in M365 services and adheres to a clear set of rules to ensure responsible research.
By enhancing the M365 Bounty Program, Microsoft underscores its trust in external researchers and its dedication to fostering a collaborative security ecosystem.
In alignment with related programs like the Azure and Dynamics 365 Bounty Programs, this initiative ensures vulnerabilities across Microsoft’s suite of cloud services are diligently addressed.
Security researchers interested in participating can learn more and get started by reviewing the program’s terms and resources on Microsoft’s official website.
By working together with experts globally, Microsoft continues to commit itself to delivering secure solutions for its users.
Collect Threat Intelligence with TI Lookup to improve your company’s security - Get 50 Free Request
