Bounty - Microsoft Defender (original) (raw)

PROGRAM DESCRIPTION

Defender is a Microsoft brand that includes a variety of products and services that are aimed at protecting the Microsoft customer experience. The Microsoft Defender Bounty Program invites eligible researchers to identify vulnerabilities in Defender products and services and share them with our team. The Defender program will begin with a limited scope, focusing on Microsoft Defender for Endpoint APIs and will expand to include other products in the Defender brand over time. Qualified submissions are eligible for bounty awards from 1,250to1,250 to 1,250to20,000 USD. This includes third-party and open-source components included in the service. Please note that qualifying reports must demonstrate a qualifying security impact on the specified service.

ELIGIBLE SUBMISSIONS

The goal of the Microsoft Bug Bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers.

In addition to the eligibility requirements listed on the Bounty Program Guidelines page, vulnerability submissions must meet the following criteria to be eligible for bounty awards:

• Such vulnerability must be Critical or Important severity. For an example of how Microsoft classifies vulnerability severity levels, please see Microsoft Vulnerability Severity Classification for Windows1.
• The vulnerability must be reproducible on the latest, fully patched version of the product or service.

1The classification of vulnerability severity levels varies by product. Products under the Defender Bounty Program may be classified differently than those listed on the Microsoft Vulnerability Severity Classification for Windows.

We request researchers include the following information to help us quickly assess their submission:

• Submit through the MSRC Researcher Portal.
• Indicate in the vulnerability submission which high impact scenario (if any) your report qualifies for.
• Describe the attack vector for the vulnerability.

Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.

SCOPE

Vulnerabilities submitted in the following Product(s) are eligible under this bounty program:

• Microsoft Defender for Endpoint (MDE) - Public APIs
• Microsoft Defender for Identity (MDI)
• Microsoft Defender for Office 365 (MDO) - SafeLinks
• Microsoft Defender for Cloud Apps (MDA), limited to the list below:
  • Domains:
    * security.microsoft.com/cloudapps/*
    * Any function impacting Microsoft Defender for Cloud Apps hosted on security.microsoft.com.
    * Any issues not pertaining to Defender for Cloud Apps on this domain will be assessed under the M365 Bounty Program.
    * portal.cloudappsecurity.com
    * *.portal.cloudappsecurity.com
  • API
    * Microsoft Defender for Cloud Apps Graph APIs (Use the Microsoft Defender for Cloud apps API in Microsoft Graph (preview) - Microsoft Graph beta | Microsoft Learn)
    * In-scope APIs are listed under the “security > discover cloud apps (preview) tab"

GETTING STARTED

Please follow the guidance below to create a test account for security testing and probing. Additionally, please follow the Research Rules of Engagement to avoid harm to customer data, privacy, and service availability.

In all cases, where possible, please include the string “MSOBB” in your account name and/or tenant name to identify it as being used for security research.

Here are some useful links for getting started. While this getting-started material is broad, please ensure that you’re focusing your research on only the public Microsoft Defender for Endpoint APIs.

• Microsoft Defender for Endpoint (MDE) Public APIs Documentation
  • Overview of Management and APIs
  • Supported Microsoft Defender for Endpoint APIs
    * Get started with a 3-month Trial tenant
• Microsoft Defender for Identity (MDI)
  • Microsoft Defender for Identity (MDI) Documentation
  • Download the Microsoft Defender for Identity (MDI) sensor
  • Enable access to Microsoft Defender for Identity (MDI) service URLs in the proxy server
    * The sensor's endpoint is per customer (based on the workspace name, which is based on the tenant's name at creation time).
• Microsoft Defender for Office 365 (MDO) SafeLinks
  • Customer/Product Documentation: Why do I need Microsoft Defender for Office 365? | Microsoft Learn
  • Deploy MDO: Get started with Microsoft Defender for Office 365 | Microsoft Learn
  • Configure SafeLinks in MDO: Complete Safe Links overview for Microsoft Defender for Office 365 - Microsoft Defender for Office 365 | Microsoft Learn
  • Set up Safe Links policies in Microsoft Defender for Office 365 - Microsoft Defender for Office 365 | Microsoft Learn
  • Manage tenant allow block list for URLs: Manage allows and blocks in the Tenant Allow/Block List - Microsoft Defender for Office 365 | Microsoft Learn
• Microsoft Defender for Cloud Apps (MDA)
  • Overview - Microsoft Defender for Cloud Apps | Microsoft Learn
  • Get started - Microsoft Defender for Cloud Apps | Microsoft Learn
  • Basic setup - Microsoft Defender for Cloud Apps | Microsoft Learn

BOUNTY AWARDS

Bounty awards range from 1,250to1,250 to 1,250to20,000 USD. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. If a single submission is eligible for multiple awards, the submission will be awarded the single highest qualifying award.

Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgement if their submission leads to a vulnerability fix.

General Awards