Microsoft Starts Online Services Bug Bounty

Microsoft today launched the Microsoft Online Services Bug Bounty Program which will pay out a minimum of $500 for vulnerabilities found in its cloud services such as Office 365.

Microsoft had always rejected the possibility of a full-scale bug bounty, relying instead on solid relationships it spent the better part of a decade fostering with researchers worldwide who submit vulnerabilities to the Microsoft Security Research Center (MSRC).

Yet in the past couple of years, the company has bent a bit in the other direction, instituting reward programs for researchers who develop new bypasses for exploit mitigations, or defensive techniques that can be folded into Microsoft products.

The company has already paid out several hundred thousands of dollars to researchers who have successfully beaten exploit mitigations in Windows, including ASLR, DEP, SEHOP and more, as well as rewarding one researcher $200,000 for a new technique to defend against return-oriented programming (ROP) attacks.

Individual vulnerability payouts have been off the board for the most part (Microsoft did institute a temporary bounty for Internet Explorer 11 in the summer of 2013), until today when Microsoft launched the Microsoft Online Services Bug Bounty Program. Bounties start at $500,and vulnerabilities in cloud-based services such as Office 365 are the first eligible in the program, Microsoft said.

“Generally, bounties will be paid for significant web application vulnerabilities found in eligible online service domains,” Microsoft said in a statement announcing the program, adding that researchers must also submit concise steps that will allow Microsoft engineers to reproduce the vulnerability.

Only certain domains are eligible, Microsoft said. That list includes:

  • portal.office.com
  • *.outlook.com (Office 365 for business email services applications, excluding any consumer “outlook.com” services)
  • outlook.office365.com
  • login.microsoftonline.com
  • *.sharepoint.com
  • *.lync.com
  • *.officeapps.live.com
  • www.yammer.com
  • api.yammer.com
  • adminwebservice.microsoftonline.com
  • provisioningapi.microsoftonline.com
  • graph.windows.net

Only certain vulnerability classes are eligible as well, including cross-site scripting, cross-site request forgery, insecure direct object references, injection and authentication flaws, server-side code execution, privilege escalation, security configuration issues and cross-tenant data tampering or access eligible in multitenant services, Microsoft said.

“The aim of the bug bounty is to uncover significant vulnerabilities that have a direct and demonstrable impact to the security of our users and our users’ data,” Microsoft said.

Microsoft also listed a number of vulnerabilities that are ineligible; those include:

  • Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
  • Server-side information disclosure such as IPs, server names and most stack traces
  • Bugs in the web application that only affect unsupported browsers and plugins
  • Bugs used to enumerate or confirm the existence of users or tenants
  • Bugs requiring unlikely user actions
  • URL Redirects (unless combined with another flaw to produce a more severe vulnerability)
  • Vulnerabilities in platform technologies that are not unique to the online services in question (Apache or IIS vulnerabilities, for example.)
  • “Cross Site Scripting” bugs in SharePoint that require “Designer” or higher privileges in the target’s tenant.
  • Low impact CSRF bugs (such as logoff)
  • Denial of Service issues
  • Cookie replay vulnerabilities

Microsoft also made it clear that it wants researchers to shy away from denial-of-service testing or any type of automated testing of its services that could lead to significant traffic sent their way. Researchers are also discouraged from trying to access data belonging to someone else consuming a cloud service or expanding a test to include social engineering or phishing against Microsoft employees.

Microsoft said complete submissions can be sent to secure@microsoft.com.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.