New Online Services Bug Bounty Program
Written by Sue Gee   
Friday, 26 September 2014

Microsoft has launched a bug bounty program covering its Online Services, starting with Office 365. Rewards for qualified submissions start at $500.




Microsoft already has an established Bug Bounty Program, including the Mitigation Bypass Bounty program which pays up to $100,000 USD for novel exploitation techniques against protections built into its newest operating systems and the BlueHat Bonus for Defense, an additional uo to $50,000 for defensive ideas that accompany a qualifying Mitigation Bypass submission.

Now it is extending the idea of paying for vulnerability reports to its online service stating:

Being ahead of the game by identifying the exploit techniques in our widely used services helps make our customer’s environment more secure.

Qualified submissions for the Online Services Bug Bounty will be eligible for a minimum payment of $500 with the proviso

Bounties will be paid out at Microsoft’s discretion based on the impact of the vulnerability.

Eligible submissions include vulnerabilities of the following types:


  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Unauthorized cross-tenant data tampering or access (for multi-tenant services)
  • Insecure direct object references
  • Injection Vulnerabilities
  • Authentication Vulnerabilities
  • Server-side Code Execution
  • Privilege Escalation
  • Significant Security Misconfiguration


The program is restricted to the following domains:


  • * (Office 365 for business email services applications, excluding any consumer “” services)
  • * - excluding user-generated content
  • *
  • *

You also need to be aware of the rules governing the testing of the above bounty-eligible online services. The terms and conditions state:

You must create test accounts, and test tenants, for security testing and probing. For Office 365 services, you can set up your test account here. In all cases, where possible, include the string "MSOBB" in your account name and/or tenant name in order to identify a tenant as being in use for the bug bounty program.

Additionally all the following are prohibited:

  • Any kind of Denial of Service testing.
  • Performing automated testing of services that generates significant amounts of traffic.
  • Gaining access to any data that is not wholly your own. For example, you are allowed to and encouraged to create a small number of test accounts and/or trial tenants for the purpose of demonstrating and proving cross-account or cross-tenant data access. However, it is prohibited to use one of these trial accounts to access the data of a legitimate customer or account.
  • Moving beyond "proof of concept" repro steps for server-side execution issues (i.e. proving that you have sysadmin access with sqli is acceptable, running xp_cmdshell is not).
  • Attempting phishing or other social engineering attacks against our employees.

So is $500 enough for going to so much trouble. Well it is a minimum and Microsoft has a record of paying substantial sums for critical bugs.



Amazon Introduces RStudio on Amazon SageMaker

Amazon has announced the availability of RStudio for SageMaker. The move is designed to make it easier to use RStudio with SageMaker’s machine learning and deep learning capabilities, and to incorpo [ ... ]

Call For Code Winner Addresses Problem of Safe Drinking Water

A team from India has been selected as the Grand Prize winner of IBM's 2021 Call For Code developer challenge with Saaf Water, an AI-powered IoT solution that provides feedback on water quality.

More News






or email your comment to:

Last Updated ( Friday, 26 September 2014 )