Microsoft Bug Bounty prices are increased by up to 30% for security researchers who discover Office 365 and Microsoft Account service vulnerabilities.
“Through these new scenario-based bounty awards, we encourage researchers to focus their research on vulnerabilities that have the highest potential impact on customer privacy and security,” a Microsoft Security Response Center (MSRC) announcement disclosed.
What are Microsoft Bug Bounty prices?
Awards increase by up to 30% for eligible scenario submissions and can reach $26,000 per reported vulnerability. Microsoft noted that flaws that aren’t considered “high priority” are still eligible for rewards under the General Awards program.
“If a reported vulnerability does not qualify for a bounty award under the High Impact Scenarios, it may be eligible for a bounty award under General Awards,” the company says. Higher awards are still possible though at Microsoft’s discretion, based on the severity and impact of the vulnerability and the quality of the submission.
Award increases
- Remote code execution through untrusted input (CWE-94 “Improper Control of Generation of Code (‘Code Injection’)”) by 30.00%
- Remote code execution through untrusted input (CWE-502 “Deserialization of Untrusted Data”) by 30.00%
- Unauthorized Cross-tenant and cross-identity sensitive data1 leakage (CWE-200 “Exposure of Sensitive Information to an Unauthorized Actor”) by 20.00%
- Unauthorized cross-identity sensitive data leakage (CWE-488 “Exposure of Data Element to Wrong Session”) by 20.00%
- “Confused deputy” vulnerabilities that can be used in a practical attack that accesses resources in a way that bypasses authentication (CWE-918 “Server-Side Request Forgery (SSRF)”) by 15.00%
Microsoft also announced that it has expanded its bug bounty programs to include Exchange, SharePoint, and Skype for Business. Security researchers can now discover and report flaws in Exchange and SharePoint servers to earn rewards ranging from $500 to $26,000. Based on severity multipliers (between 15 and 30%), bounty hunters may receive greater payouts for vulnerabilities’.
The M365 Bounty Program page provides further information on reward amounts, high-impact situations, and the new in-scope domains list.