For the next few months Microsoft is doubling bounties offered to security researchers who discover vulnerabilities in its Office 365 services, with the maximum amount now at $30,000.
The Redmond, WA-based software giant said this increase in bounty value is from March 1 and May 1 this year, and covers vulnerabilities discovered in Exchange Online and Office 365 Admin portal, with the following domains included: portal.office.com, outlook.office365.com, outlook.office.com, outlook.live.com, and *.outlook.com.
“These properties are core web applications in the Office 365 suite. Securing Exchange Online, Microsoft’s hosted enterprise email solution, is vital to customer security as it is the gateway to accessing critical user information such as email, calendars, contacts and tasks for any endpoint device. Office 365 admin portal is the web management interface for managing tenant access. This portal is an important piece in protecting tenants and tenant admins from compromise,” Microsoft said.
Previously, Microsoft offered bounties between $500 and $15,000, and after the increase, researchers can get between $1,000 and $30,000.
The following vulnerabilities are eligible for the program: Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Unauthorized cross-tenant data tampering or access (for multi-tenant services), Insecure direct object references, Injection Vulnerabilities, Authentication Vulnerabilities, Server-side Code Execution, Privilege Escalation, Significant Security Misconfiguration (when not caused by user).
The Microsoft Online Services Bug Bounty program first launched in September 2014 and then expanded in April and August 2015 to include additional services.
The effort covers Microsoft Office 365 Portal and Microsoft Exchange Online. Microsoft uses it to find and patch security flaws in its services with help from experts across the world who can report their findings to the company in exchange for a certain financial reward.