Microsoft has launched a bug bounty program covering its Online Services, starting with Office 365. Rewards for qualified submissions start at $500.

Microsoft already has an established Bug Bounty Program, including the Mitigation Bypass Bounty program which pays up to $100,000 USD for novel exploitation techniques against protections built into its newest operating systems and the BlueHat Bonus for Defense, an additional uo to $50,000 for defensive ideas that accompany a qualifying Mitigation Bypass submission.

Now it is extending the idea of paying for vulnerability reports to its online service stating:

Being ahead of the game by identifying the exploit techniques in our widely used services helps make our customer’s environment more secure.

Qualified submissions for the Online Services Bug Bounty will be eligible for a minimum payment of $500 with the proviso

Bounties will be paid out at Microsoft’s discretion based on the impact of the vulnerability.

Eligible submissions include vulnerabilities of the following types:

• Cross Site Scripting (XSS)
• Cross Site Request Forgery (CSRF)
• Unauthorized cross-tenant data tampering or access (for multi-tenant services)
• Insecure direct object references
• Injection Vulnerabilities
• Authentication Vulnerabilities
• Server-side Code Execution
• Privilege Escalation
• Significant Security Misconfiguration

The program is restricted to the following domains:

• portal.office.com
• *.outlook.com (Office 365 for business email services applications, excluding any consumer “outlook.com” services)
• outlook.office365.com
• login.microsoftonline.com
• *.sharepoint.com - excluding user-generated content
• *.lync.com
• *.officeapps.live.com
• www.yammer.com
• api.yammer.com
• adminwebservice.microsoftonline.com
• provisioningapi.microsoftonline.com
• graph.windows.net

You also need to be aware of the rules governing the testing of the above bounty-eligible online services. The terms and conditions state:

You must create test accounts, and test tenants, for security testing and probing. For Office 365 services, you can set up your test account here. In all cases, where possible, include the string "MSOBB" in your account name and/or tenant name in order to identify a tenant as being in use for the bug bounty program.

Additionally all the following are prohibited:

• Any kind of Denial of Service testing.
• Performing automated testing of services that generates significant amounts of traffic.
• Gaining access to any data that is not wholly your own. For example, you are allowed to and encouraged to create a small number of test accounts and/or trial tenants for the purpose of demonstrating and proving cross-account or cross-tenant data access. However, it is prohibited to use one of these trial accounts to access the data of a legitimate customer or account.
• Moving beyond "proof of concept" repro steps for server-side execution issues (i.e. proving that you have sysadmin access with sqli is acceptable, running xp_cmdshell is not).
• Attempting phishing or other social engineering attacks against our employees.

So is $500 enough for going to so much trouble. Well it is a minimum and Microsoft has a record of paying substantial sums for critical bugs.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info