Microsoft Doubles Bounty Payouts
Monday, 10 August 2015

Microsoft has announced an increase for its Bounty for Defense program from $50K to $100K and an expansion of its Online Services Bug Bounty program, including and a bonus period during which some authentication vulnerabilities will receive double bounty payouts.

According to Jason Shirk in his announcement on TechNet raising the Bounty for Defense: 

  • Brings defense up on par with offense
  • Rewards the novel defender equally for their research


msbugbountyshield

To clarify, Microsoft has offered rewards up to $100,000 for novel remote code execution vulnerabilities since it introduced its Mitigation Bypass Bounty in June 2013. It also offered an additional Bonus for Defence for submitting a report that described how to block such exploitation techniques. which was set at $50,000.  

Now the two rewards have been decoupled and researchers who submit defensive techniques to Microsoft can be eligible for a bounty up to $100,000. As before all bounties will be paid out at Mirosoft's discretion.

Other news in the announcement, which was timed to coincide with Black Hat 2015, the annual gathering of the security research community, was the extension of the Microsoft Online Services Bug Bounty program, originally launched in September 2014, to include Microsoft Account. To give further impetus to researchers to hunt out authentication vulnerabilities, for the next three months, until October 5, 2015, qualified submissions will be eligible for double bounties to a maximum of $30,000 USD.

The three Microsoft Account domains that are eligible for this are:  

  • login.windows.net
  • login.microsoftonline.com
  • login.live.com 

and the types of vulnerability that will qualify include:

Eligible submissions will include vulnerabilities of the following types: 

  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Unauthorized cross-tenant data tampering or access (for multi-tenant services)
  • Insecure direct object references
  • Injection Vulnerabilities
  • Authentication Vulnerabilities
  • Server-side Code Execution
  • Privilege Escalation
  • Significant Security Misconfiguration (when not caused by user) 

In addition, Remote App, which lets users run Windows apps hosted in Azure anywhere, and on a variety of devices is being added as a new property of the Online Services Bug Bounty Program.

 

 msbugbountyshield

More Information

Microsoft Bounty Programs Expansion – Bounty for Defense, Authentication Bonus, and RemoteApp 

Microsoft Bounty Programs

Project Spartan Bug Bounty Program Terms

Online Services Bug Bounty Terms

Mitigation Bypass and BlueHat Defense Terms

Related Articles

Microsoft Offers $100,000 For Novel Exploits

New Online Services Bug Bounty Program 

Microsoft Expands Bounty Programs

Microsoft Extends Bounty

Bounty Hunter Awarded $100,000

 

To be informed about new articles on I Programmer, subscribe to the RSS feed, follow us on, Twitter, FacebookGoogle+ or Linkedin,  or sign up for our weekly newsletter.

 

Banner

Google Android PC "Is Incredible"
29/09/2025

Google has revealed more details of its plans to release a version of Android for PCs. The information came during the keynote session at the recent Qualcomm Snapdragon Summit that took place in Maui, [ ... ]


+ Full Story
C Resumes Second Place In TIOBE Index
08/10/2025

The TIOBE index for October is out and C has overtaken  to regain the coveted second place in the ranking. What is it about C that makes it so special and can it continue to be as important a lan [ ... ]


+ Full Story
More News

 

pico book

 

Comments




or email your comment to: comments@i-programmer.info
Last Updated ( Tuesday, 04 October 2016 )