Having tasted the fruit of the crowd's tree of knowledge, Microsoft has decided it likes it, and is expanding its bug bounty program to cover a broad range of online services.
In this post at Technet, Redmond lists a bunch of domains that are eligible for the expanded bug bounty, including online Outlook, Office365, Sharepoint, Windows.net, Microsoftoneline.com and Yammer services.
Cross-site scripting (XSS), cross-site request forgery (CSRF), cross-tenant data tampering, insecure direct object references, injection flaws, authentication flaws, server-side code execution, privilege escalation, and security misconfigurations will all be eligible for bounties, the post states.
Don't, however, even think about testing the services for denial-of-service: it's prohibited, along with generating heavy traffic loads, accessing anyone else's data, testing your server-side execution beyond proof-of-concept stage, or firing phishing attacks against Microsoft staff.
There's also a fairly extensive list of submissions that won't be eligible for the bounty. These include:
- Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”);
- Server-side information disclosure such as IPs, server names and most stack traces;
- Bugs in the web application that only affect unsupported browsers and plugins;
- Bugs used to enumerate or confirm the existence of users or tenants;
- Bugs requiring unlikely user actions;
- URL Redirects (unless combined with another flaw to produce a more severe vulnerability);
- Vulnerabilities in platform technologies that are not unique to the online services in question (Apache or IIS vulnerabilities, for example.);
- “Cross Site Scripting” bugs in SharePoint that require “Designer” or higher privileges in the target’s tenant;
- Low impact CSRF bugs (such as logoff);
- Denial of Service issues; and
- Cookie replay vulnerabilities.
Microsoft first dipped its toe in the bug-bounty waters in 2013, offering US$100,000 during last year's Black Hat conference in July to let hackers stress-test Windows 8 and IE 11.
The new bug bounty program starts a little more modestly, with the minimum payment set at US$500. ®