Microsoft strives to protect our customers and we’re constantly improving our security posture to meet their needs. We realize the desire of researchers and customers to security test our services to ensure they can trust us and our solutions. We also believe that if a researcher informs us of a security flaw in our Office 365 services, they should be awarded for protecting us. These discoveries along with our internal security testing efforts contribute to keeping our users safe.
Keeping in line with our philosophy of protecting users and awarding researchers, we are pleased to announce an update to our Online Services bounty program. We will be giving out double rewards for security vulnerabilities from March 1, 2017 to May 1, 2017 for eligible vulnerabilities submitted in Exchange Online and Office 365 Admin Portal.
These properties are core web applications in the Office 365 suite. Securing Exchange Online, Microsoft’s hosted enterprise e-mail solution, is vital to customer security as it is the gateway to accessing critical user information such as email, calendars, contacts and tasks for any endpoint device. Office 365 admin portal is the web management interface for managing tenant access. This portal is an important piece in protecting tenants and tenant admins from compromise.
We will be announcing details of this bounty program and hosting multiple training workshops on how Microsoft assigns bounties for our online services properties in the Bountycraft workshop at Nullcon 2017. Stop by our training sessions to learn more.
Bounty program important takeaways:
-
The domains that will be receiving double rewards are:
- portal.office.com
- outlook.office365.com
- outlook.office.com
- outlook.live.com
- *.outlook.com
-
Types of vulnerabilities awarded are listed in the Online Services Bug Bounty Terms
-
The double bounty period is March 1, 2017 to May 1, 2017
-
Bounty payout ranges during this period will be $1,000 to $30,000 USD
Call to action : send your vulnerabilities to secure@microsoft.com to earn double amounts from March to May 2017.
As always, the most up-to-date information about the Microsoft Bounty Programs can be found at https://aka.ms/BugBounty and in the associated terms and FAQs.
Akila Srinivasan and Travis Rhodes MSRC