We are excited to announce the addition of scenario-based bounty awards to the Dynamics 365 and Power Platform Bounty Program and M365 Bounty Program. Through these new scenario-based bounty awards, we encourage researchers to focus their research on vulnerabilities that have the highest potential impact on customer privacy and security. Awards increase by up to 30% ($26,000 USD total) for eligible scenario submissions.
|Cross-tenant information disclosure||$20,000|
Eligible submissions may qualify for 15-30% bonuses on top of the general M365 bounty awards and will be awarded the single highest qualifying award.
|Remote code execution through untrusted input (CWE-94 “Improper Control of Generation of Code (‘Code Injection’)”)||+30%|
|Remote code execution through untrusted input (CWE-502 “Deserialization of Untrusted Data”)||+30%|
|Unauthorized Cross-tenant and cross-identity sensitive data leakage (CWE-200 “Exposure of Sensitive Information to an Unauthorized Actor”)||+20%|
|Unauthorized cross-identity sensitive data leakage (CWE-488 “Exposure of Data Element to Wrong Session”)||+20%|
|“Confused deputy” vulnerabilities that can be used in a practical attack that accesses resources in a way that bypasses authentication (CWE-918 “Server-Side Request Forgery (SSRF)”)||+15%|
These new bounty awards are part of our continued efforts to partner with the security research community as part of Microsoft’s holistic approach to defending against security threats. If you have any questions about these new scenarios or any other security research incentive program, please email us at firstname.lastname@example.org.
Lynn Miyashita and Madeline Eckert, MSRC