Microsoft 365 Insider Bounty | MSRC (original) (raw)

PROGRAM DESCRIPTION

The Microsoft 365 Insider on Windows Bounty Program invites researchers to identify security vulnerabilities in Word, Excel, Outlook, OneNote and PowerPoint in the Microsoft 365 Insider Preview on Windows and share them with our team. Qualified submissions are eligible for bounty awards from $500 to $30,000 USD. This includes third-party and open-source components included in the service. Please note that qualifying reports must demonstrate a qualifying security impact on the specified service.

ELIGIBLE SUBMISSIONS

The goal of the Microsoft Bug Bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers.

In addition to the eligibility requirements listed on the Bounty Program Guidelines page, vulnerability submissions must meet the following criteria to be eligible for bounty awards:

• Such vulnerability must reproduce in one of the in-scope products or services.
• Include clear, concise, and reproducible steps, either in writing or in video format.
  • Provide our engineers the information necessary to quickly reproduce, understand, and fix the issue.
  • Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.
• Each proof of concept must demonstrate the vulnerability against Word, Excel, Outlook, PowerPoint, OneNote on Current Channel (Preview) on a fully patched version of Windows 11.
• Indicate in the vulnerability submission which high impact scenario (if any) your report qualifies for and describe the attack vector for the vulnerability.

We request researchers include the following information to help us quickly assess their submission:

• Submit through the MSRC Researcher Portal.

Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.

SCOPE

Vulnerabilities submitted in the following Product(s) on Current Channel (Preview) are eligible under this bounty program:

• Word
• Excel
• Outlook (Classic)
• PowerPoint
• OneNote

GETTING STARTED

Please follow the guidance below to create a test account for security testing and probing. Additionally, please follow the Research Rules of Engagement to avoid harm to customer data, privacy, and service availability. If in doubt, please contact bounty@microsoft.com.

In all cases, where possible, please include the string “MSOBB” in your account name and/or tenant name to identify it as being used for security research.

To get started, join the Microsoft 365 Insider program. For more information, see:

• Microsoft 365 Insider Blog
• Microsoft 365 Insider Handbook
• Microsoft 365 Insider FAQ
• Follow us @Msft365Insider

Example of Elevation of privilege via Protected View sandbox escape

To help keep users safe, Microsoft 365 uses Protected View to open untrusted documents. We are looking for M365-based techniques to escape the sandbox and other privilege escalations.

Examples for Bypass of default security policy category

Policies block macro execution by default
By default, the macro security policies block execution of macros without user interaction, or completely disable the ability to enable macros for documents originating from the Internet. We are looking for vulnerabilities that would allow automatic macro execution in M365 apps included in the bounty scope without additional user interaction in the default configuration and without trusting the document or removing the mark of the Web.

Policy that blocks by default certain types of Outlook
Several file extensions are currently blocked by default as attachments in Outlook. We’re looking for techniques that will bypass the default block and allow those formats as email attachments (for example .exe files).

For more information on blocked attachments in Outlook, please check here.

BOUNTY AWARDS

Bounty awards range from 500upto500 up to 500upto30,000 USD. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. If a single submission is eligible for multiple awards, the submissions will be awarded the single highest qualifying award.

Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgement if their submission leads to a vulnerability fix.