Bug bounty programs are something that almost every major (and many minor) companies have in place. Encouraging black hats and grey hats to act as white hats, a bug bounty program offers a reward-- usually both cash and company swag-- to a hacker for finding vulnerabilities with their website/service/product and disclosing it to the company. This is opposed to a hacker finding the vulnerability and then exploiting it themselves or selling it on the blackmarket. By having a system in place, the company itself benefits by detracting hackers from exploiting their services, as well as have the luxury of a more secure system after the vulnerability is reported and patched.
On the new bug bounty program, the things they are looking for are restricted to the following types of exploits:
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Unauthorized cross-tenant data tampering or access (for multi-tenant services)
- Insecure direct object references
- Injection Vulnerabilities
- Authentication Vulnerabilities
- Server-side Code Execution
- Privilege Escalation
- Significant Security Misconfiguration
On only the following domains:
- portal.office.com
- *.outlook.com (Office 365 for business email services applications, excluding any consumer “outlook.com” services)
- outlook.office365.com
- login.microsoftonline.com
- *.sharepoint.com - excluding user-generated content
- *.lync.com
- *.officeapps.live.com
- www.yammer.com
- api.yammer.com
- adminwebservice.microsoftonline.com
- provisioningapi.microsoftonline.com
- graph.windows.net
There are various other rules and restrictions (as with any other bug bounty program) that can be viewed here in the terms and conditions. The minimum payout for any bug is $500.
Microsoft has had a bug bounty program in place for years, but it has usually been limited to their software-- things like Windows, Microsoft Office or Internet Explorer exploits. This marks, by their own words, an evolution in their bug bounty program and it will be interesting to see what comes of it.
Source: Microsoft BlueHat Blog | Image via BlogSolute