Microsoft has unveiled a brand new bug bounty program aimed on the Microsoft Defender safety platform, with rewards between $500 and $20,000.
Whereas increased awards are attainable, Microsoft retains sole discretion to find out the ultimate reward quantity primarily based on vulnerability severity, impression, and submission high quality.
The very best reward is on the market for high-quality studies of vital severity distant code execution vulnerabilities.
At the moment, the Microsoft Defender Bounty Program is restricted in scope and can focus solely on Microsoft Defender for Endpoint APIs (Software Programming Interfaces). Nonetheless, it’s anticipated to increase to incorporate different Defender merchandise sooner or later.
“The Microsoft Defender Bounty Program invitations researchers throughout the globe to establish vulnerabilities in Defender services and products and share them with our group,” mentioned MSRC Senior Program Supervisor Madeline Eckert.
“Microsoft’s Bug Bounty applications characterize one of many some ways we spend money on partnerships with the worldwide safety analysis group to assist safe Microsoft clients.”
| Vulnerability Sort | Report High quality | Severity | |||
| Vital | Essential | Reasonable | Low | ||
| Distant Code Execution | Excessive Medium Low | $20,000 $15,000 $10,000 | $15,000 $10,000 $5,000 | $0 | $0 |
| Elevation of Privilege | Excessive Medium Low | $8,000 $4,000 $3,000 | $5,000 $2,000 $1,000 | $0 | $0 |
| Data Disclosure | Excessive Medium Low | $8,000 $4,000 $3,000 | $5,000 $2,000 $1,000 | $0 | $0 |
| Spoofing | Excessive Medium Low | N/A | $3,000 $1,200 $500 | $0 | $0 |
| Tampering | Excessive Medium Low | N/A | $3,000 $1,200 $500 | $0 | $0 |
| Denial of Service | Excessive/Low | Out of Scope |
The entire listing of in-scope safety vulnerabilities consists of:
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Server-side request forgery (SSRF)
- Cross-tenant information tampering or entry
- Insecure direct object references
- Insecure deserialization
- Injection vulnerabilities
- Server-side code execution
- Important safety misconfiguration (when not brought on by the consumer)
- Utilizing elements with identified vulnerabilities (Requires full proof of idea (PoC) of exploitability. For instance, merely figuring out an out-of-date library wouldn’t qualify for an award).
Per Microsoft’s tips, the bounty can be awarded to the preliminary submission if a number of safety researchers file a number of bug studies concerning the identical difficulty.
Furthermore, if a submission qualifies for a number of bounty applications, the researchers will obtain the best single payout reward from a single bounty program. Additional particulars concerning the Microsoft Bounty Program can be found on this FAQ web page.
Right now, Microsoft additionally revealed that it paid $58.9 million in rewards to 1,147 safety researchers worldwide who reported 446 eligible vulnerabilities throughout 22 bug bounty applications.
One month earlier, the corporate introduced a brand new AI bounty program targeted on the AI-driven Bing expertise, with rewards of as much as $15,000.
Final yr, Redmond added on-premises Trade, SharePoint, and Skype for Enterprise to its bug bounty program and elevated the utmost awards for high-impact safety flaws reported via its Microsoft 365 program.
