Microsoft has launched a bug bounty program for 365 applications, with Microsoft Teams’ desktop client the sole in-scope target for now.
The Microsoft Applications Bounty Program will pay out bounty rewards of between $500 and $30,000 for valid security vulnerabilities – a substantially higher ceiling than the $20,000 on offer under its online services counterpart.
Scenario-based awards ranging between $6,000 and $30,000 are on offer for remote code execution (RCE), authentication credential theft, privilege escalation, and XSS or similar flaws leading to arbitrary code execution with minimal or no user interaction.Other valid vulnerability reports will attract rewards within the $500 to $15,000 range.
A valid vulnerability reports for Microsoft Teams are now eligible for a 200% bonus multiplier applied to points earned under the Researcher Recognition Program.
Based on bug’s severity and impact, points are accrued for vulnerabilities found on eligible applications and contribute towards Microsoft Security Response Center’s (MSRC) annual Most Valuable Security Researcher roll call.
Security researchers should continue to submit vulnerabilities found in Teams’ web browser application to Microsoft’s Online Services Bounty Program.
Microsoft Teams, a videoconferencing and business collaboration platform, reported a 50% surge to 115 million daily active users in the six months after Covid-19 was declared a pandemic.