Microsoft launches bug bounty program for Online Services

Microsoft has launched another bug bounty program, and this one will focus on its Online Services.

Bug hunters are urged to submit vulnerabilities affecting the following services: Office 365, Outlook (only as it regards Office 365 business services), Microsoft Online Services, Sharepoint, Lync, Yammer, and several others.

The company is looking for XSS and CSRF bugs, injection and authentication flaws, server-side code execution and privilege escalation vulnerabilities, misconfiguration holes, insecure direct object references and vulnerabilities allowing unauthorized cross-tenant data tampering or access.

“Qualified submissions are eligible for a minimum payment of $500 USD,” the company announced. “Bounties will be paid out at Microsoft’s discretion based on the impact of the vulnerability.”

As is usual with this type of bug bounty programs, Microsoft prohibits bug hunters from doing DoS testing, automated testing that could lead to DoS, gaining access to accounts that are not theirs (they should use test accounts and tenants for their probing), trying social engineering and phishing attacks against the company’s employees, and “moving beyond PoC repro steps for server-side execution issues.”

A list of ineligible submissions has also been provided.