Microsoft is today calling on Office Insider Program members on the Windows platform to improve Office. The company announced that it has launched a Bug Bounty Program for the productivity service. This is only for users of the suite on the company’s own Windows 10 platform. The MSRC Team says it wants to get Insiders more involved.
The Office Insider Program already lets users provide feedback on preview features and builds. However, Microsoft wants more customer input. The Bug Bounty Program will allow users to get rewards for finding flaws in Office.
Of course, the aim is to make Office as secure as possible. Like Microsoft’s previous bounty programs, the Office version allows users to hunt for problems in the suite. As normal, the company is offering substantial money for zero-day vulnerabilities that are found.
Qualifying contributions can get a minimum of $500 and maximum of $15,000, depending on factors. Of course, understanding what is an eligible submission is important, so Microsoft has detailed the criteria:
- Identify an original and previously unreported vulnerability in the current Office Insider build on a fully patched Windows 10 Desktop
- The vulnerability must reproduce on the most recent Office Insider slow build to qualify for a bounty (If a submission reproduces in a previous Office Insider slow build but not the current Office slow build available at the time of your submission, then the submission is ineligible)
- Include concise reproducibility steps that are easily understood. (This allows submissions to be processed as quickly as possible and supports the highest payment for the type of vulnerability being reported.)
- Include the Office version number and slow build number on which the vulnerability reproduces (To find the number, go to File -> Account -> Office update (version and build number)
Bug Bounty Programs
Offering a bounty for discovered flaw is not a new concept for Microsoft. The company has introduced bounty programs across several services. Indeed, Office 365 already has its own bug bounty program.
At the start of this month, Microsoft increased its bounty offerings to a maximum of $30,000 for zero-day’s found in Office 365.
Microsoft announced its first Bug Bounty in September 2014. The initial program was for Microsoft Online Services.
Since then the company has expanded the program across Azure (April 2015) and Office 365 (August 2015). In September, 2016, the Bug Bounty also extended to the Microsoft Edge Insider Program.