Microsoft has launched an Online Services Bug Bounty Programme that will pay out cash awards of a minimum of $500 (£300) for flaws in the company’s web applications, beginning with Office 365.
The scheme joins a programme launched in June of last year, which offered bounties of up to $100,000 for vulnerabilities in Windows 8.1 and up to $11,000 for bugs in Internet Explorer.
Microsoft said the programme is designed to help improve the security of its tools, but is also in response to customer demand for “the freedom to examine and understand the security profile of our offerings”.
“With these rules, you can now validate the security of the service, and if you identify issues and meet the eligibility requirements, Microsoft will compensate you for that good work,” said Travis Rhodes, senior security lead for Office 365, in a blog post.
Microsoft is offering bounties for “significant web application vulnerabilities” affecting eligible online service domains, which include portal.office.com, outlook.com, outlook.office365.com and others.
Bug types eligible for the rewards include Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), privilege escalation, server-side code execution and significant security misconfigurations, but not bugs requiring “unlikely user actions,” denial of service issues or cookie replay vulnerabitlities, Microsoft said.
“The aim of the bug bounty is to uncover significant vulnerabilities that have a direct and demonstrable impact to the security of our users and our users’ data,” the company said in a document outlining the programme’s rules.
In addition, participants are prohibited from engaging in activities including Denial of Service testing, accessing data they don’t own or attempting phishing or social-engineering attacks against Microsoft employees.
“The scope of this program is limited to technical vulnerabilities in the above specified Microsoft Online Services,” Microsoft said. Payments will be at Microsoft’s discretion, based on the impact of the vulnerability, it added.
Such bounty programmes have long been operated by major IT companies, with Twitter launching a bounty scheme earlier this month.
Do you know all about IT and the law? Take our quiz.
Tesla retreats from pioneering gigacasting manufacturing process, amid cost cutting and challenges at EV giant
No skynet please. After the US, UK and France pledge human only control of nuclear…
Microsoft's AI investments continue in south east Asia, after investments in Japan, Malaysia, Indonesia, as…
New chapter for LastPass as it becomes an independent company to focus on cybersecurity, after…
US FCC seeks to ban Chinese telecom firms at centre of national security concerns from…
Two updates to Anthropic's AI chatbot Claude sees arrival of a new business-focused plan, as…