Η Microsoft today announced it Microsoft Online Services Bug Bounty Program, which provides security researchers with rewards to submit vulnerabilities to the various on-line Services provided by Microsoft. The company pays for finding and submitting vulnerabilities with a minimum amount of 500 dollars rising depending on the impact of the vulnerability.
The company says vulnerabilities include:
Cross Site Scripting (XSR), Cross Site Request Forgery (CSRF), unauthorized cross-tenant data tampering or access (for multi-tenant services), insecure direct object references, injection flaws, code execution, privilege escalation and significant security misconfiguration.
The domains that can be tested are
portal.office.com
* .outlook.com (Office Manager 365 for business email services applications, excluding any consumer “outlook.com” services)
outlook.office365.com
login.microsoftonline.com
* .sharepoint.com
* .lync.com
* .officeapps.live.com
www.yammer.com
api.yammer.com
adminwebservice.microsoftonline.com
provisioningapi.microsoftonline.com
graph.windows.net
The company also provides a list of vulnerabilities that will not be premium:
- Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as "httponly").
- Server-side information disclosure such as IPs, server names and most stack traces.
- Bugs in the web application that only affect unsupported browsers and plugins.
- Bugs used to enumerate or confirm the existence of users or tenants.
- Bugs requiring unlikely user actions.
- URL Redirects (unless combined with another flaw to produce a more severe vulnerability).
- Vulnerabilities in platform technologies that are not unique to online services in questionApache or IIS vulnerabilities, for example).
- "Cross Site Scripting" bugs in SharePoint that require "Designer" or higher privileges in the target's tenant.
- Low impact CSRF bugs (such as logoff).
- Denial of Service issues.
- Cookie replay vulnerabilities.
You can report vulnerabilities to your products and services Microsoft to the address [email protected].