Microsoft is excited to announce the addition of Exchange on-premises, SharePoint on-premises, and Skype for Business on-premises to the Applications and On-Premises Servers Bounty Program.
Through this expanded program, we encourage researchers to discover and report high-impact security vulnerabilities to help protect customers. We offer awards up to $26,000 USD for eligible submissions. The following products are now eligible for bounty awards:
- Exchange on-premises
- SharePoint on-premises
- Skype for Business on-premises
That’s not all! The bounty also includes high-impact scenarios offering the highest awards to research in areas with the highest potential impact to customer security.
| Security Impact | Severity Multiplier |
|---|---|
| EXCHANGE ONLY: Server-Side Request Forgery allows an attacker to make server-side HTTP requests to arbitrary URLs. | 20% |
| SHAREPOINT ONLY: Authenticated Server-Side Request Forgery allows an attacker to make authenticated server-side HTTP requests to arbitrary URL | 20% |
| Insecure deserialization of user-controllable data, leading to remote code execution on server | 30% |
| Arbitrary file write of user-controlled data on user-controlled location on the server. | 20% |
| Authentication bypass allows for unauthenticated exploitation which results in mass exploitation of vulnerabilities | 20% |
| Vulnerabilities within Exchange Emergency Mitigation Service (EEMS) | 15% |
To learn more about eligible scope and award amounts, please visit the Applications and On-Premises Servers Bounty Program page.
Microsoft’s bug bounty programs are just one of the many ways we invest in partnerships with the global security research community to help secure Microsoft customers. If you have any questions about the new On-Premises Servers scope or general inquiries about any other security research incentive program, please contact us at bounty@microsoft.com.
Madeline Eckert and Lynn Miyashita, MSRC