Microsoft is adding another bug bounty to its collection. This time, it's the Dynamics 365 CRM software, and the rewards scale up to $20k That's a similar amount to its Azure DevOps bounty in January, but nothing close to the $250k it was offering for Meltdown and Spectre.
Even so, this could be a good opportunity for budding security researchers. It includes all Dynamics 365 apps, including Talent, Sales, and Remote Assist, as well as on-premise products like Dynamics CRM.
$20k is the max researchers can expect to get, and most won't get anywhere near that. The big payout is reserved for high severity critical remote code execution bugs. However, you can still get $15k for medium severity RCE's, or important high severity ones.
Meanwhile, escalation of privilege bugs will get you $1,000-8,000. Information disclosure scales similarly while important spoofing and tampering issues reward between $500 and $3,000.
As is standard, bounty only applies to the latest versions of the applications. The vulnerabilities also can't depend on user config action, third-party software, or DoS attacks. Researchers must provide a reproducible guide to get the payment.
Microsoft has previously been criticized for its bug bounty program, which led to a researcher releasing zero-day exploits on Twitter. Some submitters say the company has been very slow to confirm bugs and even longer to get word about the bounty.
Earlier this year, Microsoft announced changes to its bounty program that should mean payments are issued faster. In February, GitHub revealed changes to its program too, relaxing legal restrictions while increasing the rewards.