Microsoft launches cloud bug bounty starting with Office 365

Vulnerabilities that qualify under the program net at least $500 for the submitter. The company says customers asked for it.

Microsoft has announced a new bug bounty program for their online services. The first online service to be included is Office 365.

Special Feature

Cloud: How to Do SaaS Right

Software as a Service offers irresistible benefits for organizations of all sizes — from cost savings to scalability to mobile accessibility. We offer guidance on avoiding the pitfalls of the cloud and choosing your SaaS partners well.

Read More

The Online Services Bug Bounty program is active as of today, September 23, 2014. Microsoft decides whether a bug qualifies under the terms of the program. The minimum payment for a qualifying bug is $500. 

The terms include a list of vulnerability types that qualify under the program:

  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Unauthorized cross-tenant data tampering or access (for multi-tenant services)
  • Insecure direct object references
  • Injection Flaws
  • Authentication Flaws
  • Server-side Code Execution
  • Privilege Escalation
  • Significant Security Misconfiguration

The terms also list the Microsoft domains for which Microsoft will pay a bounty. Even though is one of the domains included, this is only true as it regards Office 365 business services. The consumer is not yet eligible for bounties.

There is also a list of "flaws" which don't qualify. One of them, Denial of Service, can be serious, but it's likely Microsoft doesn't want to encourage DoS testing.

While it was in prerelease, Microsoft ran a bug bounty program for Internet Explorer 11. The company has one other bug bounty currently, calling for bypass techniques for mitigation technology like ASLR. Because of the high price, such hacks command Microsoft pay top dollar for them, up to $100,000. The company also offers awards for defensive technologies.