Under normal circumstances, reported flaws are eligible for a minimum pay-out of US$500 and a maximum pay-out of US$15,000. However, Microsoft is running a special offer for eligible vulnerability submissions. For specific Office 365 apps, the company has doubled the minimum (US$1000) and maximum (US$30,000) pay-outs. As always, the company points out that Bug Bounty discoveries are paid out at Microsoft’s discretion. The level of payment is based on the potential threat and impact of the flaw detected. Microsoft says the extended reward Bug Bounty is for vulnerabilities found in the following Office 365 apps:
office.com office365.com office.com *.outlook.com com
“Securing Exchange Online, Microsoft’s hosted enterprise email solution, is vital to customer security as it is the gateway to accessing critical user information such as email, calendars, contacts and tasks for any endpoint device,” wrote Akila Srinivasan and Travis Rhodes of the Microsoft Security Response Center.
Bug Bounty Program
Microsoft launched its first phase Bug Bounty in September 2014. The initial program was for Microsoft Online Services. Since then the company has expanded the program across Azure (April 2015) and Office 365 (August 2015). In September, 2016, the Bug Bounty also extended to the Microsoft Edge Insider Program. The concept of the program is allowing researchers to gain rewards for finding flaws in Microsoft services. By offering a reward, Microsoft gives researchers and incentive to find vulnerabilities and report them.
