Microsoft asks bug hunters to probe on-premises Exchange, SharePoint servers

Bug hunters that discover and report high-impact security vulnerabilities in on-premises Exchange, SharePoint and Skype for Business may earn as much as $26,000 per eligible submission, Microsoft has announced.

bug on-premises Exchange

The highest awards will go to those who discover vulnerabilities that have the highest potential impact to customer security. This includes vulnerabilities that allow for scenarios like:

  • Insecure deserialization of user-controllable data, leading to remote code execution on server
  • Arbitrary file write of user-controlled data on user-controlled location on the server
  • Authentication bypass allows for unauthenticated exploitation which results in mass exploitation of vulnerabilities
  • Vulnerabilities within Exchange Emergency Mitigation Service (EEMS)
  • Server-Side Request Forgery allows an attacker to make server-side HTTP requests to arbitrary URLs (Exchange only)
  • Authenticated Server-Side Request Forgery allows an attacker to make authenticated server-side HTTP requests to arbitrary URL (SharePoint only)

More information about in scope and out of scope vulnerabilities is available on the Microsoft Applications and On-Premises Servers Bounty Program page.

In general, technical vulnerabilities are in-scope, and phishing or other social engineering attacks against Microsoft employees are forbidden.




Share this