Microsoft Offers Cash For Office 365 Flaws

Microsoft has launched an Online Services Bug Bounty Programme that will pay out cash awards of a minimum of $500 (£300) for flaws in the company’s web applications, beginning with Office 365.

The scheme joins a programme launched in June of last year, which offered bounties of up to $100,000 for vulnerabilities in Windows 8.1 and up to $11,000 for bugs in Internet Explorer.

User ‘freedom’

Microsoft said the programme is designed to help improve the security of its tools, but is also in response to customer demand for “the freedom to examine and understand the security profile of our offerings”.

“With these rules, you can now validate the security of the service, and if you identify issues and meet the eligibility requirements, Microsoft will compensate you for that good work,” said Travis Rhodes, senior security lead for Office 365, in a blog post.

Microsoft is offering bounties for “significant web application vulnerabilities” affecting eligible online service domains, which include portal.office.com, outlook.com, outlook.office365.com and others.

Bug types eligible for the rewards include Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), privilege escalation, server-side code execution and significant security misconfigurations, but not bugs requiring “unlikely user actions,” denial of service issues or cookie replay vulnerabitlities, Microsoft said.

Direct impact

“The aim of the bug bounty is to uncover significant vulnerabilities that have a direct and demonstrable impact to the security of our users and our users’ data,” the company said in a document outlining the programme’s rules.

In addition, participants are prohibited from engaging in activities including Denial of Service testing, accessing data they don’t own or attempting phishing or social-engineering attacks against Microsoft employees.

“The scope of this program is limited to technical vulnerabilities in the above specified Microsoft Online Services,” Microsoft said. Payments will be at Microsoft’s discretion, based on the impact of the vulnerability, it added.

Such bounty programmes have long been operated by major IT companies, with Twitter launching a bounty scheme earlier this month.

Do you know all about IT and the law? Take our quiz.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago