New Online Services Bug Bounty Program
Written by Sue Gee   
Friday, 26 September 2014

Microsoft has launched a bug bounty program covering its Online Services, starting with Office 365. Rewards for qualified submissions start at $500.

 

bluehat2

 

Microsoft already has an established Bug Bounty Program, including the Mitigation Bypass Bounty program which pays up to $100,000 USD for novel exploitation techniques against protections built into its newest operating systems and the BlueHat Bonus for Defense, an additional uo to $50,000 for defensive ideas that accompany a qualifying Mitigation Bypass submission.

Now it is extending the idea of paying for vulnerability reports to its online service stating:

Being ahead of the game by identifying the exploit techniques in our widely used services helps make our customer’s environment more secure.

Qualified submissions for the Online Services Bug Bounty will be eligible for a minimum payment of $500 with the proviso

Bounties will be paid out at Microsoft’s discretion based on the impact of the vulnerability.

Eligible submissions include vulnerabilities of the following types:

 

  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Unauthorized cross-tenant data tampering or access (for multi-tenant services)
  • Insecure direct object references
  • Injection Vulnerabilities
  • Authentication Vulnerabilities
  • Server-side Code Execution
  • Privilege Escalation
  • Significant Security Misconfiguration

 

The program is restricted to the following domains:

 

  • portal.office.com
  • *.outlook.com (Office 365 for business email services applications, excluding any consumer “outlook.com” services)
  • outlook.office365.com
  • login.microsoftonline.com
  • *.sharepoint.com - excluding user-generated content
  • *.lync.com
  • *.officeapps.live.com
  • www.yammer.com
  • api.yammer.com
  • adminwebservice.microsoftonline.com
  • provisioningapi.microsoftonline.com
  • graph.windows.net

You also need to be aware of the rules governing the testing of the above bounty-eligible online services. The terms and conditions state:

You must create test accounts, and test tenants, for security testing and probing. For Office 365 services, you can set up your test account here. In all cases, where possible, include the string "MSOBB" in your account name and/or tenant name in order to identify a tenant as being in use for the bug bounty program.

Additionally all the following are prohibited:

  • Any kind of Denial of Service testing.
  • Performing automated testing of services that generates significant amounts of traffic.
  • Gaining access to any data that is not wholly your own. For example, you are allowed to and encouraged to create a small number of test accounts and/or trial tenants for the purpose of demonstrating and proving cross-account or cross-tenant data access. However, it is prohibited to use one of these trial accounts to access the data of a legitimate customer or account.
  • Moving beyond "proof of concept" repro steps for server-side execution issues (i.e. proving that you have sysadmin access with sqli is acceptable, running xp_cmdshell is not).
  • Attempting phishing or other social engineering attacks against our employees.

So is $500 enough for going to so much trouble. Well it is a minimum and Microsoft has a record of paying substantial sums for critical bugs.

 

Banner


Meet Stretch - A Mobile Manipulator Robot
24/02/2024

Meet Stretch 3, an open-source robot that, according to its maker Hello Robot, heralds a future where versatile robots are in millions of homes. Originally introduced as a research platform, Stretch i [ ... ]



Running PostgreSQL Inside Your Browser With PGLite
18/03/2024

Thanks to WebAssembly we can now enjoy PostgreSQL inside the browser so that we can build reactive, realtime, local-first apps directly on Postgres. PGLite is about to make this even easier.


More News

 

raspberry pi books

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Friday, 26 September 2014 )