Microsoft Offers Cash For Office 365 Flaws

Microsoft has launched an Online Services Bug Bounty Programme that will pay out cash awards of a minimum of $500 (£300) for flaws in the company’s web applications, beginning with Office 365.

The scheme joins a programme launched in June of last year, which offered bounties of up to $100,000 for vulnerabilities in Windows 8.1 and up to $11,000 for bugs in Internet Explorer.

User ‘freedom’

Microsoft said the programme is designed to help improve the security of its tools, but is also in response to customer demand for “the freedom to examine and understand the security profile of our offerings”.

“With these rules, you can now validate the security of the service, and if you identify issues and meet the eligibility requirements, Microsoft will compensate you for that good work,” said Travis Rhodes, senior security lead for Office 365, in a blog post.

Microsoft is offering bounties for “significant web application vulnerabilities” affecting eligible online service domains, which include portal.office.com, outlook.com, outlook.office365.com and others.

Bug types eligible for the rewards include Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), privilege escalation, server-side code execution and significant security misconfigurations, but not bugs requiring “unlikely user actions,” denial of service issues or cookie replay vulnerabitlities, Microsoft said.

Direct impact

“The aim of the bug bounty is to uncover significant vulnerabilities that have a direct and demonstrable impact to the security of our users and our users’ data,” the company said in a document outlining the programme’s rules.

In addition, participants are prohibited from engaging in activities including Denial of Service testing, accessing data they don’t own or attempting phishing or social-engineering attacks against Microsoft employees.

“The scope of this program is limited to technical vulnerabilities in the above specified Microsoft Online Services,” Microsoft said. Payments will be at Microsoft’s discretion, based on the impact of the vulnerability, it added.

Such bounty programmes have long been operated by major IT companies, with Twitter launching a bounty scheme earlier this month.

Do you know all about IT and the law? Take our quiz.