Saturday, February 8, 2025
HomeCyber Security NewsMicrosoft Enhances M365 Bounty Program with New Services & Rewards Up to...

Microsoft Enhances M365 Bounty Program with New Services & Rewards Up to $27,000

Published on

SIEM as a Service

Follow Us on Google News

Microsoft has announced updates to its Microsoft 365 (M365) Bug Bounty Program, offering expanded services, clearer guidelines, and bounty rewards ranging from $500 to a significant $27,000.

The initiative reflects Microsoft’s ongoing commitment to cybersecurity and enlisting global security researchers to enhance user safety.

The Microsoft 365 Bounty Program invites security researchers worldwide to uncover and report vulnerabilities in specific M365 services and products, such as Office 365 and Microsoft Account.

With a focus on tackling critical vulnerabilities, the program ensures the reported issues directly and demonstrably impact user security.

Researchers whose findings meet the program’s stringent criteria stand a chance to earn considerable financial rewards.

Expanded Rewards and High-Impact Scenarios

Eligible submissions under the program can earn researchers rewards ranging from $500 for moderate issues to a maximum of $27,000 for critical vulnerabilities.

High-impact scenarios, such as remote code execution (CWE-94 or CWE-502), cross-tenant sensitive data leakage, or bypassing authentication via “confused deputy” server requests (CWE-918), can fetch additional rewards, with bonuses ranging from 15% to 80%.

Microsoft further incentivizes submissions during its “Zero Day Quest” event, increasing awards by up to 50%.

Focus on Critical Vulnerabilities

Submissions must identify previously unknown vulnerabilities in in-scope services and provide a clear, reproducible proof of concept (PoC).

Accepted issues typically include cross-site scripting (XSS), insecure deserialization, SQL injection, server-side code execution, and cross-tenant data tampering.

Reports must include concise testing steps, enabling Microsoft’s engineering teams to swiftly resolve the vulnerabilities.

Microsoft emphasizes ethical practices in vulnerability testing. Researchers are encouraged to set up test accounts and tenants for probing but must avoid accessing unauthorized data, performing denial-of-service attacks, or engaging in phishing or social engineering tactics.

The program scope is strictly limited to technical vulnerabilities in M365 services and adheres to a clear set of rules to ensure responsible research.

By enhancing the M365 Bounty Program, Microsoft underscores its trust in external researchers and its dedication to fostering a collaborative security ecosystem.

In alignment with related programs like the Azure and Dynamics 365 Bounty Programs, this initiative ensures vulnerabilities across Microsoft’s suite of cloud services are diligently addressed.

Security researchers interested in participating can learn more and get started by reviewing the program’s terms and resources on Microsoft’s official website.

By working together with experts globally, Microsoft continues to commit itself to delivering secure solutions for its users.

Collect Threat Intelligence with TI Lookup to improve your company’s security - Get 50 Free Request

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Hackers Leveraging Image & Video Attachments to Deliver Malware

Cybercriminals are increasingly exploiting image and video files to deliver malware, leveraging advanced techniques...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...