Microsoft opens Dynamics 365 bug bounty with $20k top prize

Microsoft has reorganized its bug bounty program and provided researchers with more, easier to access information.
Written by Liam Tung, Contributing Writer

Microsoft has added another bug bounty to its security rewards lineup. For the first time, researchers will be able to hunt for bugs in Dynamics 365 ERP and CRM software, and get rewards of up to $20,000. 

The Dynamics 365 Bounty program opens today, inviting researchers to find and report vulnerabilities in Microsoft's Dynamics 365 applications, for rewards of between $500 and $20,000 for valid bugs. 

There are dozens of online and on-premise Dynamics 365 applications; the suite's online apps include Dynamics 365 for sales, customer service, field service, talent, finance and operations, retail and more. The latest releases of on-premise Dynamics 365 apps are also in scope, including Dynamics AX, CRM, GP, NAV, and SL. 

Microsoft has also updated its main Microsoft Bug Bounty Program with simplified high-level requirements for them as well as extra links and resources. 

The company has also reorganized its bug bounties into three main categories: Cloud Programs; Platform Programs; and Defense Programs. 

Dynamics 365 is the newest addition to the Cloud Programs section, which also includes Microsoft Identity services, such as Azure Active Directory. Also in this group are Azure DevOps Services, .NET Core and ASP.NET Core, and the Microsoft Cloud Bounty. 

The Platform Programs cover Microsoft Hyper-V, the Windows Insider Preview, Windows Defender Application Guard, the Edge on Windows Insider Preview, and Office Insider. 

The Defense Programs currently only includes the 'Mitigation Bypass and Bounty for Defense', which offers the highest rewards of up to $100,000.

The extra resources include links to frequently asked questions, examples of low and high quality reports, the Windows security servicing criteria, a directory of Azure Services, Microsoft product documentation, and a link to the Microsoft Security Research & Defense blog.    

The Dynamics 365 top payout is in line with the top reward for the Microsoft Cloud Bounty, which recently got bumped up from $15,000 to $20,000

Earlier this year Microsoft handed over payment-processing responsibilities to third-party bug bounty platform HackerOne and has since added Bugcrowd to its payment roster. Microsoft continues to handle triage of bug reports and deciding on the value of rewards, but moved to HackerOne and Bugcrowd in order to speed up payments to researchers and offer different payment options, including cryptocurrency. 

Editorial standards