Microsoft wants to send the message the company is serious about the security of its popular Teams desktop application and it’s willing to put some cash behind the talk. A new bug-bounty program offers up to $30,000 for security vulnerabilities, with top payouts going to those with the most potential to expose Teams user data.
“The Teams desktop client is the first in-scope application under the new Apps Bounty Program, we look forward to sharing updates as we bring additional apps into this bounty program scope,” the program manager Lynn Miyashita said in her statement about the launch.
Researchers can claim five scenario-based awards under the new Apps Bounty Program, ranging from $6,000 to $30,000, with the highest payouts available for “vulnerabilities that have the highest potential impact on customer privacy and security,” the company said.
General bounties are awarded between $500 and $15,000, with other incentives: Standout bug hunters can earn a spot on Microsoft’s “Researcher Recognition Program” and eligibility for the yearly MSRC Most Valuable Security Researcher list, Miyashita explained.
Security researchers with Teams online vulnerabilities to report will still submit those through the Online Services Program, the announcement added.
Bug-Bounty Programs Inspire Customer Confidence
Beyond offering a nice payday for security researchers, the move to dedicate a bug-bounty program gives Microsoft some brand support to customers, judging from a recent survey.
Conducted by the Ponemon Institute and commissioned by Intel, the poll found that three-quarters of IT pros in charge of purchasing tech prefer to buy from vendors who are proactive about security. Bug-bounty programs are increasingly part of that package.
“Security doesn’t just happen,” Suzy Greenberg, vice president, Intel Product Assurance and Security, said about the Poneman Institute survey findings. “If you are not finding vulnerabilities, then you are not looking hard enough.”
Certainly, the cloud-collaboration market has seen plenty of security bugs and breaches in recent months, particularly following lockdowns, when these services became vital to everyday business.
Collaboration App Security Storm
Teams has been used in phishing lure scams, and last fall attackers used fake Teams updates to target users with malware.
Rival cloud-collab service Zoom has also had its share of embarrassing security fails, including a vanity URL zero-day flaw discovered last July, re-occurring Zoom bombings, impersonation attacks and this month’s Zoom screen-sharing glitch, which “briefly” leaked sensitive data.
The launch of Microsoft’s bug bounty program will both help root out these flaws before they become headlines and signal a renewed commitment to proactive security.
“Partnering with the security research community is an important part of Microsoft’s holistic approach to defending against security threats,” Microsoft’s Miyashita wrote.
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:
- April 21: Underground Markets: A Tour of the Dark Economy (Learn more and register!)