Bug hunters that discover and report high-impact security vulnerabilities in on-premises Exchange, SharePoint and Skype for Business may earn as much as $26,000 per eligible submission, Microsoft has announced.
The highest awards will go to those who discover vulnerabilities that have the highest potential impact to customer security. This includes vulnerabilities that allow for scenarios like:
- Insecure deserialization of user-controllable data, leading to remote code execution on server
- Arbitrary file write of user-controlled data on user-controlled location on the server
- Authentication bypass allows for unauthenticated exploitation which results in mass exploitation of vulnerabilities
- Vulnerabilities within Exchange Emergency Mitigation Service (EEMS)
- Server-Side Request Forgery allows an attacker to make server-side HTTP requests to arbitrary URLs (Exchange only)
- Authenticated Server-Side Request Forgery allows an attacker to make authenticated server-side HTTP requests to arbitrary URL (SharePoint only)
More information about in scope and out of scope vulnerabilities is available on the Microsoft Applications and On-Premises Servers Bounty Program page.
In general, technical vulnerabilities are in-scope, and phishing or other social engineering attacks against Microsoft employees are forbidden.