Microsoft Joins the Online Services Bug Bounty Party

Microsoft has effectively expanded its bug bounty strategy to include web-based services with the launch on Tuesday of the Microsoft Online Services Bug Bounty Program.

The computing giant said rewards starting at $500 would be paid for “significant web application vulnerabilities found in eligible online service domains.”

“Additionally, in order for submissions to be processed as quickly as possible and to ensure the highest payment for the type of vulnerability being reported, submissions should include concise repro steps that are easily understood,” it continued in a notice.

Participating online services include Outlook, Office365, Yammer, SharePoint and Lync.

Microsoft said it would pay out for discovery of, amongst others, vulnerabilities like cross site scripting, injection flaws, authentication flaws, privilege escalation, cross-site request forgery and server side code execution.

Redmond added:

"You must create test accounts, and test tenants, for security testing and probing. For Office 365 services, you can set up your test account here. In all cases, where possible, include the string ‘MSOBB’ in your account name and/or tenant name in order to identify a tenant as being in use for the bug bounty program."

Microsoft urged security researchers to use only the official bug submission guidelines and follow the Coordinated Vulnerability Disclosure rules when reporting flaws.

The Redmond giant has been offering rewards for vulnerabilities discovered in its products since last year, offering up huge sums of $100,000 to some.

However, this is its first official foray into the world of online services, an area where the firm is increasingly looking to replace falling on-premise software license revenues.

Sophos global head of security research, James Lyne, welcomed the announcement, noting that Microsoft's existing program for its “core platform” has had a “phenomenal impact” on the security of Windows.

“Creating a new program to focus on online services is overdue given Microsoft has put so much focus on its online services such as Office365. The scope of the program has a few unusual exclusions and by comparison a much lower minimum payout of only $500, but is not atypical for more basic web defects,” he told Infosecurity.

"This, for example, would include the discovery of XSS bugs like those that have plagued eBay over the last few days. This is a welcome change and hopefully the program evolves over time and drives greater quality and trust in Microsoft's online services.”

What’s Hot on Infosecurity Magazine?