Find an Office 365 vulnerability. Get paid.
Mirroring the ongoing shift from packaged software to cloud computing in the workplace, Microsoft has launched a new Online Services Bug Bounty program that awards security researchers with cash when they discover flaws in the company's Web applications. First up is Office 365.
Announcing the launch of the program, Travis Rhodes, senior security lead for Office 365 said in a Sept. 23 statement that the initiative allows Microsoft to "reward and recognize security researchers by offering a bounty for qualifying security vulnerabilities they report to us."
In an online support document that outlines the terms of the program, Microsoft noted that "individuals across the globe have the opportunity to earn a bounty on submitted vulnerabilities for participating Online Services provided by Microsoft." A minimum of $500 will be paid for qualified submissions. "Bounties will be paid out at Microsoft's discretion based on the impact of the vulnerability," added the company.
Microsoft was late to the bug-bounty movement, having only begun paying for information on software flaws last year. In June 2013, the company kicked off programs that paid as much as $100,000 for vulnerabilities in Windows 8.1 and up to $11,000 for bugs affecting Internet Explorer.
"What we are looking for are new ways to bypass our mitigations. We want to learn about these new ways to punch holes in our shields, so we can develop defenses that work platform-wide and block those types of attacks," Katie Moussouris, senior security strategist lead for Microsoft's Trustworthy Computing group, told eWEEK at the time.
Rhodes struck a similar tone in his Office Blogs post. "We work hard to develop secure software and defend our services from breaches, but we recognize that security is a journey and not a destination, and we are always looking for ways to move faster," he said. This bounty program is one more way that we can enable and recognize that great community that helps us make Office 365 even safer."
Moreover, customers demanded it. There now exists "a framework for enabling targeted security vulnerability assessments of Office 365 services by anyone who wishes to participate," said Rhodes. "With these rules, you can now validate the security of the service, and if you identify issues and meet the eligibility requirements, Microsoft will compensate you for that good work."
Eligible submissions include cross-site scripting (XSS), cross-site request forgery (CSRF), injection flaws and server-side code execution, to name a few. Denial-of-service issues, missing HTTP security headers and URL redirects are examples of invalid submissions. "The aim of the bug bounty is to uncover significant vulnerabilities that have a direct and demonstrable impact to the security of our users and our users' data," asserted Microsoft.
Only select domains, like portal.office.com and api.yammer.com, are currently covered by the new bug-hunting program. The software giant recommends that security researchers check the WHOIS domain lookup tool "for all resolved IPs prior to testing in order to verify ownership by Microsoft" and remain eligible for a payout.