Microsoft bug bounty: Now it doubles cash to put more focus on Office 365 flaws

Microsoft wants security researchers to switch more of their efforts to core applications in Office 365.
Written by Liam Tung, Contributing Writer

The higher payments for bugs in core web apps in the Office 365 suite will be on offer until May 1.

Image: Microsoft

For the next three months, Microsoft is doubling its top bug bounty reward to $30,000 for flaws that researchers find in core Office 365 applications.

The higher payments will be on offer for three months between March 1 and May 1, offering researchers between $1,000 and $30,000, depending on the severity of the vulnerability they discover.

The temporary program covers bugs found in:

  • portal.office.com
  • outlook.office365.com
  • outlook.office.com
  • *.outlook.com
  • outlook.com

Microsoft's ongoing regular bounty pays researchers between $500 to $15,000 per qualifying bug in dozens of domains, and up to $100,000 for defenses against mitigation bypasses. However, Microsoft's latest bounty move encourages researchers to focus on core web applications in the Office 365 suite.

"Securing Exchange Online, Microsoft's hosted enterprise email solution, is vital to customer security as it is the gateway to accessing critical user information such as email, calendars, contacts and tasks for any endpoint device," wrote Akila Srinivasan and Travis Rhodes of the Microsoft Security Response Center.

"Office 365 admin portal is the web management interface for managing tenant access. This portal is an important piece in protecting tenants and tenant admins from compromise," they added.

The higher rewards were announced at the Nullcon hacker conference in India last week.

Google also announced larger payouts from its bug bounty scheme at the conference. It is permanently boosting its reward for remote code execution and other serious bugs affecting Google, Blogger, and YouTube by 50 percent to $31,337.

Google said the higher payouts are needed because finding high-severity vulnerabilities is now harder. In 2016, Google paid about $3m to security researchers who reported bugs under its rewards programs.

Editorial standards