Microsoft Online Services Bug Bounty Program

Η Microsoft today announced it Microsoft Online Services Bug Bounty Program, which provides security researchers with rewards to submit vulnerabilities to the various on-line Services provided by Microsoft. The company pays for finding and submitting vulnerabilities with a minimum amount of 500 dollars rising depending on the impact of the vulnerability.

Microsoft Online Services Bug Bounty Program Microsoft Online Services Bug Bounty Program Microsoft Online Services Bug Bounty Program Microsoft Online Services Bug Bounty Program

The company says vulnerabilities include:

Cross Site Scripting (XSR), Cross Site Request Forgery (CSRF), unauthorized cross-tenant data tampering or access (for multi-tenant services), insecure direct object references, injection flaws, code execution, privilege escalation and significant security misconfiguration.

The domains that can be tested are

portal.office.com
* .outlook.com (Office Manager 365 for business email services applications, excluding any consumer “outlook.com” services)
outlook.office365.com
login.microsoftonline.com
* .sharepoint.com
* .lync.com
* .officeapps.live.com
www.yammer.com
api.yammer.com
adminwebservice.microsoftonline.com
provisioningapi.microsoftonline.com
graph.windows.net

The company also provides a list of vulnerabilities that will not be premium:

  • Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as "httponly").
  • Server-side information disclosure such as IPs, server names and most stack traces.
  • Bugs in the web application that only affect unsupported browsers and plugins.
  • Bugs used to enumerate or confirm the existence of users or tenants.
  • Bugs requiring unlikely user actions.
  • URL Redirects (unless combined with another flaw to produce a more severe vulnerability).
  • Vulnerabilities in platform technologies that are not unique to online services in questionApache or IIS vulnerabilities, for example).
  • "Cross Site Scripting" bugs in SharePoint that require "Designer" or higher privileges in the target's tenant.
  • Low impact CSRF bugs (such as logoff).
  • Denial of Service issues.
  • Cookie replay vulnerabilities.

You can report vulnerabilities to your products and services Microsoft to the address [email protected].

iGuRu.gr The Best Technology Site in Greeceggns

Get the best viral stories straight into your inbox!















Written by Dimitris

Dimitris hates on Mondays .....

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).