Microsoft ups bug bounties 30% for cloud lines, pays more for ‘scenario-based’ exploits

Share on facebook
Share on twitter
Share on linkedin
Share on reddit

In Brief Microsoft will pay more — up to $26,000 more — for “high-impact” bugs in its Office 365 products via its bug bounty program.

The new “scenario-based” payouts to the Dynamics 365 and Power Platform Bounty Program and M365 Bounty Program aim to incentivize bug hunters to focus on finding vulnerabilities with “the highest potential impact on customer privacy and security,” Microsoft said late last week.

Awards will increase as much as 30 percent in some cases, according to the Redmond software goliath. 

For example: discovering a remote code execution (RCE) vuln exploitable from untrusted input — this is what Mitre deems CWE-94, or a code-injection weakness — would be eligible for a 30 percent bonus on top of the existing M365 bounty award. Same for finding a vuln that deserializes untrusted data, also leading to potential RCE.

Microsoft made a similar move with its Azure bug bounty program in the fall and now pays up to $60,000 for high-impact cloud vulnerabilities.

And considering the massive Patch Tuesday earlier this week, it’s tough to argue against bigger awards to catch critical security flaws before the criminals do.

During Microsoft’s April monthly patching bonanza, the software giant addressed more than 100 vulnerabilities including ten critical RCEs. One of the bugs was already under attack, and a second had its exploit publicly disclosed before Patch Tuesday; Microsoft says no malicious exploitation has happened with that latter programming blunder … yet.

HP fixes critical Teradici PCoIP bugs


Read more

Explore the site

More from the blog

Latest News