Microsoft Bounty Program is becoming more generous to researchers/hackers who discover high-impact bugs in important Microsoft services. According to the company, there are new “scenario-based” awards available in the Microsoft 365 Bounty Program and the Dynamics and Power Platform Bounty Program.
The new scenario-based rewards have been created to entice researchers to put more effort into finding “vulnerabilities that have the highest potential impact on customer privacy and security”.
Microsoft Bounty Program places the new awards on top of the current general awards given for security bugs. In total, the new scenario-based awards provide up to $26,000 in bounty awards.
Scenario-Based Rewards
In a blog post to announce the new conditions, Microsoft provides the following breakdown of rewards:
“Dynamics 365 and Power Platform Bounty Program
|
Scenario |
Maximum Award |
|
Cross-tenant information disclosure |
$20,000 |
M365 Bounty Program
Eligible submissions may qualify for 15-30% bonuses on top of the general M365 bounty awards and will be awarded the single highest qualifying award.
|
Scenario |
Maximum Award |
|
Remote code execution through untrusted input (CWE-94 “Improper Control of Generation of Code (‘Code Injection')”) |
+30% |
|
Remote code execution through untrusted input (CWE-502 “Deserialization of Untrusted Data”) |
+30% |
|
Unauthorized Cross-tenant and cross-identity sensitive data leakage (CWE-200 “Exposure of Sensitive Information to an Unauthorized Actor”) |
+20% |
|
Unauthorized cross-identity sensitive data leakage (CWE-488 “Exposure of Data Element to Wrong Session”) |
+20% |
|
“Confused deputy” vulnerabilities that can be used in a practical attack that accesses resources in a way that bypasses authentication (CWE-918 “Server-Side Request Forgery (SSRF)”)” |
+15% |
Tip of the day: The Windows Sandbox gives Windows 10/11 Pro and Enterprise users a safe space to run suspicious apps without risk. In out tutorial we show you how to enable the Windows Sandbox feature.
