Finding defects in Microsoft 356, Dynamics 365, and Microsoft’s Power Platform can now win security researchers and white hat hackers even more money.
The Microsoft Security Response Center (MSRC) said in a recent blog post that the maximum bounty for serious vulnerabilities reported to the Dynamics 365 and Power Platform bounty program, as well as the M365 bounty program, will be increased.
Bug hunters can now earn up to $20,000 if they find a cross-tenant information exposure bug in Dynamics 365 and Power Platform.
Meanwhile, in Microsoft 365, remote code execution through untrusted input mistakes will be worth an extra 30%, unauthorized cross-tenant and cross-identity sensitive data breaches will be worth an extra 20%, and vulnerabilities through “confused proxies” will be worth an extra 10%.
There will be a 15% increase in value.
These new awards are part of Microsoft’s “ongoing efforts to work with the security research community” as part of the company’s “holistic approach” to security threats.
Find faults in Exchange, SharePoint, and Skype for Business on-premises:
In addition to boosting bug bounty payouts in Microsoft 365, Dynamics 365, and Power Platform, Microsoft also expanded its bug bounty program for applications and on-premises servers to include on-premises Exchange, SharePoint, and Skype for Business.
Security researchers who uncover and disclose vulnerabilities impacting local servers can receive incentives ranging from $500 to $26,000 under this expanded bug bounty program.
“Higher awards are possible at Microsoft’s sole discretion, based on the severity and effect of the vulnerability and the quality of the submission,” according to a separate Microsoft Security Response Center blog post.
Server-side request forgery mistakes are worth an extra 20% in both Exchange and Sharepoint when it comes to the severity multiplier for these types of issues.
If you’re a security researcher or a white hat hacker interested in learning more, go to Microsoft’s Applications and Local Servers Bounty program page.
To read our blog on “Microsoft grasp more than 7 Russian hackers group related domain,” click here.