For the last couple of year, Google has been releasing details about unpatched vulnerabilities discovered by its researchers in Microsoft’s products. Now, to save itself from further embarrassment Microsoft has launched its bug bounty program in which the company is willing to pay up to $30,000 to hackers and security researchers for reporting flaws in some of its products and services.
The only catch with this bug bounty program is that it’s for a limited time (1st March until the 31st May 2017). Apparently, Microsoft wants to control the vulnerability disclosure process since Google was having an upper hand for last one year when its researchers found vulnerabilities in Internet Explorer and Edge browsers and gave Microsoft 90 days to fix the issue.
The specific domains in which hackers can look for vulnerabilities are:
- portal.office.com
- outlook.office365.com
- outlook.office.com
- *.outlook.com
- outlook.com
The total list includes 18 domains and a further 37 eligible endpoints covered by the standard bug bounty where Microsoft wants hackers to dig deep and find vulnerabilities.
The vulnerabilities which are eligible for submission are:
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Unauthorized cross-tenant data tampering or access (for multi-tenant services)
- Insecure direct object references
- Injection Vulnerabilities
- Authentication Vulnerabilities
- Server-side Code Execution
- Privilege Escalation
- Significant Security Misconfiguration (when not caused by user)
Although, 30,000 USD is a big amount but it does not match with the high price reward paid by Google for its Chromebook bug bounty that goes up to $100,000. However, CloudFlare bug bounty reward is a simple t-shirt so if hackers are looking to make some bug bucks this is their chance.
For technical details, program description, submission eligibility, laws and legality about this bug bounty program visit Microsoft’s blog post here.
DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.