Microsoft: We're boosting our bug bounties for these high-impact security flaws

Microsoft creates new categories with higher bonus awards for bugs affecting Office 365, Dynamics and Power Platform products.
Written by Liam Tung, Contributing Writer

Microsoft has announced new "scenario-based" awards for its Dynamics and Power Platform Bounty Program and the Microsoft 365 Bounty Program. 

Microsoft says the scenario-based awards are designed to encourage researchers to focus their work on "vulnerabilities that have the highest potential impact on customer privacy and security".

The new scenario-based awards are on top of existing general awards for security bugs, such as remote code execution and elevation of privilege bugs in products – and amount to up to $26,000 on offer in new awards. 

SEE: Windows 11 security: How to protect your home and small business PCs

The new scenario-based award for Dynamics 365 and Power Platform is a cross-tenant information disclosure bug, which carries a maximum award of $20,000. Microsoft has patched similar bugs to this affecting some Azure APIs and another similar cross-tenant information disclosure bug affecting the Azure Automation service in March.   

Microsoft is also adding bonuses of between 15-30% on top of the general Microsoft 365 bounty for Office 365 products and Microsoft Account pages for Outlook, Teams, SharePoint Online, OneDrive, Skype, and more. 

The Microsoft 365 bounty highest general award is $20,000 for a critical remote code execution flaw. 

The new high-impact scenarios award a 30% bonus for remote code execution (RCE) through untrusted input (CWE-94 "Improper Control of Generation of Code" ('Code Injection')); and 30% for for RCE through untrusted input (CWE-502 "Deserialization of Untrusted Data"). 

There are also 20% awards for unauthorized cross-tenant and cross-identity sensitive data leakage for both (CWE-200 "Exposure of Sensitive Information to an Unauthorized Actor") and (CWE-488 "Exposure of Data Element to Wrong Session"). 

Finally, there's a 15% award for "Confused Deputy" vulnerabilities that can be used in a practical attack that accesses resources in a way that bypasses authentication (CWE-918 "Server-Side Request Forgery (SSRF)"). 

Microsoft offered similar scenario-based awards for its Teams bug bounty last year on top of its general awards in that program. in December, it also added six scenario-based awards of up to $60,000 for high-impact bugs to its Azure bounty.

Editorial standards