Microsoft launched a new bug bounty program, this time for finding vulnerabilities in its online services. Microsoft said it will pay a minimum of $500 for qualified bug bounty submissions.
Microsoft Online Services Bug Bounty covers the following domains:
- *.outlook.com (Office 365 for business email services applications, excluding any consumer “outlook.com” services)
Before testing, however, Microsoft said to check “WHOIS” records for all resolved IPs to ensure the domain is owned by Microsoft. Third parties that host for Microsoft, under subdomains owned by Microsoft, are not part of the online bug bounty program. Office 365 separately announced its participation in the program because it takes “security vulnerabilities very seriously;” customers asked Microsoft for it; it’s the “right thing to do.”
In order for web application vulnerability submissions to be processed as quickly as possible and result in the highest payment possible, Microsoft wants submissions to include concise reproduction steps that can be easily understood. Eligible submissions include the following vulnerabilities types: “Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Unauthorized cross-tenant data tampering or access (for multi-tenant services), Insecure direct object references, Injection Flaws, Authentication Flaws, Server-side Code Execution, Privilege Escalation and Significant Security Misconfiguration.”
Even if you find vulnerabilities in Microsoft’s online services, no bounty will be awarded for any of the following “categories of vulnerabilities even if otherwise eligible for a bounty.”
- Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
- Server-side information disclosure such as IPs, server names and most stack traces
- Bugs in the web application that only affect unsupported browsers and plugins
- Bugs used to enumerate or confirm the existence of users or tenants
- Bugs requiring unlikely user actions
- URL Redirects (unless combined with another flaw to produce a more severe vulnerability)
- Vulnerabilities in platform technologies that are not unique to the online services in question (Apache or IIS vulnerabilities, for example.)
- ”Cross Site Scripting” bugs in SharePoint that require “Designer” or higher privileges in the target’s tenant.
- Low impact CSRF bugs (such as logoff)
- Denial of Service issues
- Cookie replay vulnerabilities
Here are the rules for testing. Microsoft said, "You must create test accounts, and test tenants, for security testing and probing. For Office 365 services, you can set up your test account here. In all cases, where possible, include the string ‘MSOBB’ in your account name and/or tenant name in order to identify a tenant as being in use for the bug bounty program."
The following are not allowed to be tested on Microsoft online services:
- Any kind of Denial of Service testing.
- Performing automated testing of services that generates significant amounts of traffic.
- Gaining access to any data that is not wholly your own. For example, you are allowed to and encouraged to create a small number of test accounts and/or trial tenants for the purpose of demonstrating and proving cross-account or cross-tenant data access. However, it is prohibited to use one of these trial accounts to access the data of a legitimate customer or account.
- Moving beyond “proof of concept” repro steps for server-side execution issues (i.e. proving that you have sysadmin access with sqli is acceptable, running xp_cmdshell is not).
- Attempting phishing or other social engineering attacks against our employees. The scope of this program is limited to technical vulnerabilities in the above specified Microsoft Online Services.
Even with these prohibitions, Microsoft reserves the right to respond to any actions on its networks that appear to be malicious.