M365 Bounty | MSRC (original) (raw)

PROGRAM DESCRIPTION

The Microsoft 365 Bounty Program invites researchers to identify and submit vulnerabilities in specific Microsoft domains and endpoints. Qualified submissions are eligible for bounty awards from 1,250to1,250 to 1,250to19,500 USD. This includes third-party and open-source components included in the service. Please note that qualifying reports must demonstrate a qualifying security impact on the specified service.

ELIGIBLE SUBMISSIONS

The goal of the Microsoft Bug Bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers.

In addition to the eligibility requirements listed on the Bounty Program Guidelines page, vulnerability submissions must meet the following criteria to be eligible for bounty awards:

Such vulnerability must be of Critical or Important severity as defined by the Microsoft Vulnerability Severity Classification for Online Services.
The vulnerability must be reproducible in one of the in-scope products or services.

We request researchers include the following information to help us quickly assess their submissions:

Indicate in the vulnerability submission which high impact scenario (if any) your request qualifies for.

We request researchers include the following information to help us quickly assess their submission:

Submit through the MSRC Researcher Portal.

Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.

SCOPE

Most vulnerabilities submitted in the following services are eligible under this bounty program:

Office 365
Microsoft Account
Security Center
- security.microsoft.com
- compliance.microsoft.com
Outlook
- outlook.office365.com
- outlook.office.com
- outlook.live.com
- outlook.com
Teams
- teams.microsoft.com
- teams.live.com
- join.microsoft.com
Lync
- lync.com
SharePoint Online
- sharepoint.com (excluding user-generated content)
- sharepointonline.com (excluding user-generated content)
- svc.ms
OneDrive
- onedrive.live.com
- onedrive.com
- 1drv.com (excluding user-generated content)
- livefilestore.com (excluding user-generated content)
- storage.live.com
Viva
Sway
- sway.com
- sway.office.com
Tasks
- tasks.office.com
Forms
- forms.office.com
Bing
- Bing.com
Other
- portal.office.com
- admin.microsoft.com
- www.office.com (subdomains are not in-scope unless otherwise listed)
- webshell.suite.office.com
- protection.office.com
- officeapps.live.com
- apis.live.net
- settings.live.net
- policies.live.net

Only the listed domains and endpoints are eligible for bug bounty awards. Subdomains of in-scope domains are also considered in-scope unless otherwise listed in the Out-of-Scope Submission and Vulnerabilities section of this bounty program. Testing for vulnerabilities should only be performed on tenants in subscriptions/accounts owned by the program participant.

Please check “WHOIS” records for all resolved IPs prior to testing to verify ownership by Microsoft. Some third parties host sites for Microsoft under subdomains owned by Microsoft, and these third parties are not in scope for this bug bounty program.

GETTING STARTED

Please follow the guidance below to create a test account for security testing and probing. Additionally, please follow the Research Rules of Engagement to avoid harm to customer data, privacy, and service availability.

For Office 365 services, you can set up your test account here.
For Microsoft Account, you can set up your test account here.
Start your free trial for Microsoft Viva here.
Start your free trial for Viva Pulse here.
Learn more about Office 365 on our documentation page here.

In all cases, where possible, include the string “MSOBB” in your account name and/or tenant name in order to identify it as being used for security research.

BOUNTY AWARDS

Bounty awards range from 1,250upto1,250 up to 1,250upto19,500 USD. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. If a single submission is eligible for multiple awards, the submission will be awarded the single highest qualifying award.

Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgement if their submission leads to a vulnerability fix.