Η Microsoft today announced it Microsoft Online Services Bug Bounty Program, which offers security researchers rewards for submitting vulnerable points in the various online Services provided by Microsoft. The company pays for finding and submitting vulnerabilities with a minimum amount of 500 dollars rising depending on the impact of the vulnerability.
The company says vulnerabilities include:
Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), unauthorized cross-tenant data tampering or access (for multi-tenant services), insecure direct object references, injection flaws, authentication flaws, server-side code execution, privilege escalation and significant security misconfiguration.
The domains that can be tested are
portal.office.com
* .outlook.com (Office 365 for business email services applications, excluding any consumer “outlook.com” services)
outlook.office365.com
login.microsoftonline.com
* .sharepoint.com
* .lync.com
* .officeapps.live.com
www.yammer.com
api.yammer.com
adminwebservice.microsoftonline.com
provisioningapi.microsoftonline.com
graph.windows.net
The company also provides a list of vulnerabilities that will not be premium:
- Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as "httponly").
- Server-side information disclosure such as IPs, server names and most stack traces.
- Bugs in the web application that only affect unsupported browsers and plugins.
- Bugs used to enumerate or confirm the existence of users or tenants.
- Bugs requiring unlikely user actions.
- URL Redirects (unless combined with another flaw to produce a more severe vulnerability).
- Vulnerabilities in platform technologies that are not unique to online services in questionApache or IIS vulnerabilities, for example).
- "Cross Site Scripting" bugs in SharePoint that require "Designer” or higher privileges in the target's tenant.
- Low impact CSRF bugs (such as logoff).
- Denial of Service issues.
- Cookie replay vulnerabilities.
You can report vulnerabilities to your products and services Microsoft at secure@microsoft.com.