HomeWinBuzzer NewsMicrosoft Bounty Program: Bigger Rewards for Bugs Affecting Microsoft 365, Power Platform,...

Microsoft Bounty Program: Bigger Rewards for Bugs Affecting Microsoft 365, Power Platform, and Dynamics

A new Microsoft Bounty scenario-based rewards offers tiered specific rewards for high-impact flaws in Microsoft 365 and Dynamics.

-

Bounty Program is becoming more generous to researchers/ who discover high-impact bugs in important Microsoft services. According to the company, there are new “scenario-based” awards available in the Bounty Program and the Dynamics and Power Platform Bounty Program.

The new scenario-based rewards have been created to entice researchers to put more effort into finding “vulnerabilities that have the highest potential impact on customer privacy and security”.

Microsoft Bounty Program places the new awards on top of the current general awards given for security bugs. In total, the new scenario-based awards provide up to $26,000 in bounty awards.

Scenario-Based Rewards

In a blog post to announce the new conditions, Microsoft provides the following breakdown of rewards:

and Power Platform Bounty Program

Scenario

                                                                          Maximum Award

Cross-tenant information disclosure

                                                                                      $20,000

M365 Bounty Program

Eligible submissions may qualify for 15-30% bonuses on top of the general M365 bounty awards and will be awarded the single highest qualifying award.

Scenario

Maximum Award

Remote code execution through untrusted input (CWE-94 “Improper Control of Generation of Code (‘Code Injection')”)

+30%

Remote code execution through untrusted input (CWE-502 “Deserialization of Untrusted Data”)

+30%

Unauthorized Cross-tenant and cross-identity sensitive data leakage (CWE-200 “Exposure of Sensitive Information to an Unauthorized Actor”)

+20%

Unauthorized cross-identity sensitive data leakage (CWE-488 “Exposure of Data Element to Wrong Session”)

+20%

“Confused deputy” vulnerabilities that can be used in a practical attack that accesses resources in a way that bypasses authentication (CWE-918 “Server-Side Request Forgery (SSRF)”)”

+15%

Tip of the day: The Windows Sandbox gives /11 Pro and Enterprise users a safe space to run suspicious apps without risk. In out tutorial we show you how to enable the Windows Sandbox feature.

SourceMicrosoft
Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News