Microsoft sets up bug bounties for online services

Test our software, but don't break it, says Redmond


Having tasted the fruit of the crowd's tree of knowledge, Microsoft has decided it likes it, and is expanding its bug bounty program to cover a broad range of online services.

In this post at Technet, Redmond lists a bunch of domains that are eligible for the expanded bug bounty, including online Outlook, Office365, Sharepoint, Windows.net, Microsoftoneline.com and Yammer services.

Cross-site scripting (XSS), cross-site request forgery (CSRF), cross-tenant data tampering, insecure direct object references, injection flaws, authentication flaws, server-side code execution, privilege escalation, and security misconfigurations will all be eligible for bounties, the post states.

Don't, however, even think about testing the services for denial-of-service: it's prohibited, along with generating heavy traffic loads, accessing anyone else's data, testing your server-side execution beyond proof-of-concept stage, or firing phishing attacks against Microsoft staff.

There's also a fairly extensive list of submissions that won't be eligible for the bounty. These include:

  • Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”);
  • Server-side information disclosure such as IPs, server names and most stack traces;
  • Bugs in the web application that only affect unsupported browsers and plugins;
  • Bugs used to enumerate or confirm the existence of users or tenants;
  • Bugs requiring unlikely user actions;
  • URL Redirects (unless combined with another flaw to produce a more severe vulnerability);
  • Vulnerabilities in platform technologies that are not unique to the online services in question (Apache or IIS vulnerabilities, for example.);
  • “Cross Site Scripting” bugs in SharePoint that require “Designer” or higher privileges in the target’s tenant;
  • Low impact CSRF bugs (such as logoff);
  • Denial of Service issues; and
  • Cookie replay vulnerabilities.

Microsoft first dipped its toe in the bug-bounty waters in 2013, offering US$100,000 during last year's Black Hat conference in July to let hackers stress-test Windows 8 and IE 11.

The new bug bounty program starts a little more modestly, with the minimum payment set at US$500. ®


Keep Reading

Biting the hand that feeds IT © 1998–2021