Η Microsoft today announced it Microsoft Online Services Bug Bounty Program, which provides security researchers with rewards to submit vulnerabilities to the various on-line Services provided by Microsoft. The company pays for finding and submitting vulnerabilities with a minimum amount of 500 dollars rising depending on the impact of the vulnerability.
The company says vulnerabilities include:
Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), unauthorized cross-tenant data tampering or access (for multi-tenant services), insecure direct object references, injection flaws, authentication flaws, server-side code execution, privilege escalation και significant security misconfiguration.
The domains that can be tested are
* .outlook.com (Office 365 for business email services applications, excluding any consumer “outlook.com” services)
The company also provides a list of vulnerabilities that will not be premium:
- Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as "httponly").
- Server-side information disclosure such as IPs, server names and most stack traces.
- Bugs in the web application that only affect unsupported browsers and plugins.
- Bugs used to enumerate or confirm the existence of users or tenants.
- Bugs requiring unlikely user actions.
- URL Redirects (unless combined with another flaw to produce a more severe vulnerability).
- Vulnerabilities in platform technologies that are not unique to the online services in question (Apache or IIS vulnerabilities, for example).
- "Cross Site Scripting" bugs in SharePoint that require "Designer" or higher privileges in the target's tenant.
- Low impact CSRF bugs (such as logoff).
- Denial of Service issues.
- Cookie replay vulnerabilities.
You can report vulnerabilities to your products and services Microsoft at address email@example.com.