The Online Services Bug Bounty program is active as of today, September 23, 2014. Microsoft decides whether a bug qualifies under the terms of the program. The minimum payment for a qualifying bug is $500.
The terms include a list of vulnerability types that qualify under the program:
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Unauthorized cross-tenant data tampering or access (for multi-tenant services)
- Insecure direct object references
- Injection Flaws
- Authentication Flaws
- Server-side Code Execution
- Privilege Escalation
- Significant Security Misconfiguration
The terms also list the Microsoft domains for which Microsoft will pay a bounty. Even though outlook.com is one of the domains included, this is only true as it regards Office 365 business services. The consumer outlook.com is not yet eligible for bounties.
There is also a list of "flaws" which don't qualify. One of them, Denial of Service, can be serious, but it's likely Microsoft doesn't want to encourage DoS testing.
While it was in prerelease, Microsoft ran a bug bounty program for Internet Explorer 11. The company has one other bug bounty currently, calling for bypass techniques for mitigation technology like ASLR. Because of the high price, such hacks command Microsoft pay top dollar for them, up to $100,000. The company also offers awards for defensive technologies.