Skip to main content

On-Premises Servers Products are Here! Introducing the Applications and On-Premises Servers Bug Bounty Program

Microsoft is excited to announce the addition of Exchange on-premises, SharePoint on-premises, and Skype for Business on-premises to the Applications and On-Premises Servers Bounty Program.

Through this expanded program, we encourage researchers to discover and report high-impact security vulnerabilities to help protect customers. We offer awards up to $26,000 USD for eligible submissions. The following products are now eligible for bounty awards:

  • Exchange on-premises
  • SharePoint on-premises
  • Skype for Business on-premises

That’s not all! The bounty also includes high-impact scenarios offering the highest awards to research in areas with the highest potential impact to customer security.

Security Impact Severity Multiplier
EXCHANGE ONLY: Server-Side Request Forgery allows an attacker to make server-side HTTP requests to arbitrary URLs. 20%
SHAREPOINT ONLY: Authenticated Server-Side Request Forgery allows an attacker to make authenticated server-side HTTP requests to arbitrary URL 20%
Insecure deserialization of user-controllable data, leading to remote code execution on server 30%
Arbitrary file write of user-controlled data on user-controlled location on the server. 20%
Authentication bypass allows for unauthenticated exploitation which results in mass exploitation of vulnerabilities 20%
Vulnerabilities within Exchange Emergency Mitigation Service (EEMS) 15%

To learn more about eligible scope and award amounts, please visit the Applications and On-Premises Servers Bounty Program page.

Microsoft’s bug bounty programs are just one of the many ways we invest in partnerships with the global security research community to help secure Microsoft customers. If you have any questions about the new On-Premises Servers scope or general inquiries about any other security research incentive program, please contact us at

Madeline Eckert and Lynn Miyashita, MSRC

Related Posts

How satisfied are you with the MSRC Blog?


Feedback * (required)

Your detailed feedback helps us improve your experience. Please enter between 10 and 2,000 characters.

Thank you for your feedback!

We'll review your input and work on improving the site.