M365 Bounty Program
PROGRAM DESCRIPTION
The Microsoft 365 Bounty Program invites researchers across the globe to identify and submit vulnerabilities in specific Microsoft domains and endpoints. Qualified submissions are eligible for bounty rewards of $500 to $27,000 USD.
This bounty program is subject to these terms and those outlined in the Microsoft Bounty Terms and Conditions.
IN-SCOPE SERVICES AND PRODUCTS
Most vulnerabilities submitted in the following services are eligible under this bounty program:
- Office 365
- Microsoft Account
For a detailed list, please see the In-Scope Domains and Endpoints section on this page.
Related Cloud Bounty Programs
Submissions identifying vulnerabilities in Azure, Azure DevOps, or Microsoft-identity related online services will be considered under the Azure Bounty Program, Azure DevOps Bounty Program, Microsoft Dynamics 365 Bounty Program or the Microsoft Identity Bounty Program. All submissions are reviewed for bounty eligibility, so don’t worry if you aren’t sure where your submission fits. We will route your report to the appropriate program.
GETTING STARTED
Please create a test account and test tenants for security testing and probing.
- For Office 365 services, you can set up your test account here.
- For Microsoft Account, you can set up your test account here.
- Learn more about Office 365 on our documentation page here.
In all cases, where possible, include the string “MSOBB” in your account name and/or tenant name in order to identify it as being in use for the bug bounty program.
ELIGIBLE SUBMISSIONS
The goal of the Microsoft Bug Bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers. Vulnerability submissions must meet the following criteria to be eligible for bounty awards:
- Identify a vulnerability that was not previously reported to, or otherwise known by, Microsoft.
- Such vulnerability must be of Critical or Important severity as defined by the Microsoft Vulnerability Severity Classification for Online Services and must reproduce in one of the in-scope products or services.
- Include clear, concise, and reproducible steps, either in writing or in video format, providing our engineering team the information necessary to quickly reproduce, understand, and fix the issues.
- Find examples here.
We request researchers include the following information to help us quickly assess their submissions
- Indicate in the vulnerability submission which high impact scenario (if any) your request qualifies for.
Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.
BOUNTY AWARDS
Bounty awards range from $500 up to $27,000. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgment if their submission leads to a vulnerability fix, and points in our Researcher Recognition Program.
If a reported vulnerability does not qualify for a bounty award under the High Impact Scenarios, it may be eligible for a bounty award under General Awards. Eligible submissions will be awarded the single highest qualifying award.
HIGH IMPACT SCENARIOS
Scenario | Maximum Award |
---|---|
Remote code execution through untrusted input (CWE-94 “Improper Control of Generation of Code ('Code Injection')”) |
+30% +80%*
|
Remote code execution through untrusted input (CWE-502 “Deserialization of Untrusted Data”) |
+30% +80%*
|
Unauthorized Cross-tenant and cross-identity sensitive data1 leakage (CWE-200 “Exposure of Sensitive Information to an Unauthorized Actor”) |
+20% +70%*
|
Unauthorized cross-identity sensitive data leakage (CWE-488 “Exposure of Data Element to Wrong Session”) |
+20% +70%*
|
“Confused deputy” vulnerabilities that can be used in a practical attack that accesses resources in a way that bypasses authentication (CWE-918 “Server-Side Request Forgery (SSRF)”) |
+15% +65%*
|
*50% increase in High Impact Scenarios for Zero Day Quest event.
1 Sensitive data includes, without limitation, personal information, emails, or chats.
GENERAL AWARDS
Vulnerability Type | Report Quality | Severity | |||
---|---|---|---|---|---|
Critical
|
Important
|
Moderate
|
Low
|
||
Deserialization of Untrusted Data |
High Medium Low |
$15,000 $10,000 $6,000 |
$10,000 $5,000 $3,000 |
$0
|
$0
|
Injection (Code Injection) |
High Medium Low |
$15,000 $10,000 $6,000 |
$10,000 $5,000 $3,000 |
$0
|
$0
|
Authentication Issues |
High Medium Low |
$10,000 $5,000 $3,000 |
$5,000 $2,000 $1,000 |
$0
|
$0
|
Injection (SQL Injection and Command Injection) |
High Medium Low |
$10,000 $5,000 $3,000 |
$5,000 $2,000 $1,000 |
$0
|
$0
|
Server-Side Request Forgery (SSRF) |
High Medium Low |
$10,000 $5,000 $3,000 |
$5,000 $2,000 $1,000 |
$0
|
$0
|
Improper Access Control |
High Medium Low |
$10,000 $5,000 $3,000 |
$5,000 $2,000 $1,000 |
$0
|
$0
|
Cross Site Scripting (XSS) |
High Medium Low |
$6,000 $3,000 $2,000 |
$3,000 $1,200 $500 |
$0
|
$0
|
Cross-Site Request Forgery (CSRF) |
High Medium Low |
$6,000 $3,000 $2,000 |
$3,000 $1,200 $500 |
$0
|
$0
|
Web Security Misconfiguration |
High Medium Low |
$6,000 $3,000 $2,000 |
$3,000 $1,200 $500 |
$0
|
$0
|
Cross Origin Access Issues |
High Medium Low |
$6,000 $3,000 $2,000 |
$3,000 $1,200 $500 |
$0
|
$0
|
Improper Input Validation |
High Medium Low |
$6,000 $3,000 $2,000 |
$3,000 $1,200 $500 |
$0
|
$0
|
RULES OF ENGAGEMENT FOR TESTING BOUNTY-ELIGIBLE M365 SERVICES
The M365 Bounty Program scope is limited to technical vulnerabilities in online M365 products and services. If you discover customer data while conducting your research, or are unclear if it is safe to proceed, please stop and contact us at bounty@microsoft.com. The following are not permitted:
- Gaining access to any data that is not wholly your own.
- For example, you are allowed and encouraged to create a small number of test accounts and/or trial tenants for the purpose of demonstrating and proving cross-account or cross-tenant data access. However, it is prohibited to use one of these accounts to access the data that is not your own.
- Moving beyond “proof of concept” repro steps for server-side execution issues
- For example, proving that you have sysadmin access with SQLi is acceptable, running xp_cmdshell is not).
- Any kind of Denial of Service testing.
- Performing automated testing of services that generates significant amounts of traffic.
- Attempting phishing or other social engineering attacks against others, including our employees. The scope of this program is limited to technical vulnerabilities in the specified Microsoft Online Services.
- Using our services in a way that violates the terms for that service.
Even with these prohibitions, Microsoft reserves the right to respond to any actions on its networks that appear to be malicious.
IN SCOPE VULNERABILITIES
The following are examples of vulnerabilities that may lead to one or more of the above security impacts:
- Cross site scripting (XSS)
- Cross site request forgery (CSRF)
- Cross-tenant data tampering or access
- Insecure direct object references
- Insecure deserialization
- Injection vulnerabilities
- Server-side code execution
- Significant security misconfiguration (when not caused by user)
- Using component with known vulnerabilities
- Requires full proof of concept (PoC) of exploitability. For example, simply identifying an out of date library would not qualify for an award.
IN-SCOPE DOMAINS AND ENDPOINTS
- Security Center
- security.microsoft.com
- compliance.microsoft.com
- Outlook
- outlook.office365.com
- outlook.office.com
- outlook.live.com
- outlook.com
- Teams
- teams.microsoft.com
- teams.live.com
- join.microsoft.com
- Lync
- lync.com
- SharePoint Online
- sharepoint.com (excluding user-generated content)
- sharepointonline.com (excluding user-generated content)
- svc.ms
- OneDrive
- onedrive.live.com
- onedrive.com
- 1drv.com (excluding user-generated content)
- livefilestore.com (excluding user-generated content)
- storage.live.com
- Skype
- skype.com
- skyapi.live.net
- Yammer
- yammer.com
- assets-yammer.com
- Sway
- sway.com
- sway.office.com
- Tasks
- tasks.office.com
- Forms
- forms.office.com
- Bing
- Bing.com
- Other
- portal.office.com
- admin.microsoft.com
- www.office.com (subdomains are not in-scope unless otherwise listed)
- webshell.suite.office.com
- protection.office.com
- officeapps.live.com
- apis.live.net
- settings.live.net
- policies.live.net
Only the following domains and endpoints are eligible for bug bounty awards. Subdomains of in-scope domain are also considered in-scope unless otherwise listed in the Out-of-Scope Submission and Vulnerabilities section of this bounty program. Testing for vulnerabilities should only be performed on tenants in subscriptions/accounts owned by the program participant.
Please check “WHOIS” records for all resolved IPs prior to testing to verify ownership by Microsoft. Some third parties host sites for Microsoft under subdomains owned by Microsoft, and these third parties are not in scope for this bug bounty program.
OUT OF SCOPE SUBMISSIONS AND VULNERABILITIES
Microsoft is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty reward. Here are some of the common low-severity or out of scope issues that typically do not earn bounty rewards:
- Publicly-disclosed vulnerabilities which have already been reported to Microsoft or are already known to the wider security community
- Vulnerability patterns or categories for which Microsoft is actively investigating broad mitigations. As of June 2023, for example, these include, without limitation
- Vulnerabilities that rely on Swagger API
- Vulnerabilities that rely on Akamai ARL misconfiguration
- Dependency Confusion Issues
- Out of Scope vulnerability types, including:
- Server-side information disclosure such as IPs, server names and most stack traces
- Low impact CSRF bugs (such as logoff)
- Denial of Service issues
- Sub-Domain Takeovers
- Cookie replay vulnerabilities
- URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
- ”Cross Site Scripting” bugs in SharePoint that require “Designer” or higher privileges in the target’s tenant
- Out of Scope subdomains, including:
- attachments.office.net
- attachments.live.net
- attachments.outlook.live.net
- Out of Scope subdomains may be used to demonstrate vulnerabilities within domains or endpoints listed in the In-Scope Domains and Endpoints section of this bounty program
- Vulnerabilities that are addressed via product documentation updates, without change to product code or function
- Vulnerabilities based on user configuration or action, for example:
- Vulnerabilities requiring extensive or unlikely user actions
- Vulnerabilities in user-created content or applications.
- For example in a *.sharepoint.com domain, if a tenant has publicly exposed their own html page with any kind of vulnerability (i.e. DOM-based XSS) this bug is not eligible for bounty, and will not be accepted as a vulnerability
- Security misconfiguration of a service by a user, such as the enabling of HTTP access on a storage account to allow for man-in-the-middle (MiTM) attacks
- Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
- Vulnerabilities used to enumerate or confirm the existence of users or tenants
- Vulnerabilities based on third parties, for example:
- Vulnerabilities in third party software provided by Azure such as gallery images and ISV applications
- Vulnerabilities in platform technologies that are not unique to the online services in question (for example, Apache or IIS vulnerabilities)
- Vulnerabilities in the web application that only affect unsupported browsers and plugins
- Training, documentation, samples, and community forum sites related to Microsoft M365 products and services are not in scope for bounty
- Vulnerabilities requiring bypassing SafeLinks, a protection feature within Outlook
- Vulnerabilities found in Microsoft Partner portals, including partner.microsoft.com or aipartner.microsoft.com
We reserve the right to accept or reject any submission that we determine, in our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty.
Am I eligible for bounty if I find a vulnerability while pentesting Microsoft Azure or M365?
It is your responsibility to comply with the Microsoft Cloud Unified Penetration Testing Rules of Engagement. To receive a bounty, an organization or individual must submit a report identifying a bounty eligible vulnerability to Microsoft using the MSRC submission portal and bug submission guidelines.
ADDITIONAL INFORMATION
For additional information, please see our FAQ.
- If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission.
- If a duplicate report provides us new information that was previously unknown to Microsoft, we may award a differential to the duplicate submission.
- If a submission is potentially eligible for multiple bounty programs, you will receive single highest payout award from a single bounty program.
- Microsoft reserves the right to reject any submission at our sole discretion that we determine does not meet these criteria.
Thank you for participating in the Microsoft Bug Bounty Program!
REVISION HISTORY
- September 2014: Program launched.
- April 2015: Program scope updated.
- August 2015: Program scope updated and bounty program name changed from Online Services to Cloud bounty program.
- July 17, 2018: identity related vulnerabilities moved into the Microsoft Identity Bounty Program. (https://www.microsoft.com/msrc/bounty-microsoft-identity)
- December 7, 2018: Updated program introduction, FAQ link, and added revision history section.
- January 17, 2019: Updated award ranges based on impact, severity, and report quality. Added in-scope summary.
- June 12, 2019: Added outlook.live.com to bounty scope.
- July 17, 2019: Added Skype.com and tasks.office.com to bounty scope
- August 5, 2019: Cloud Bounty Program separated into Online Services Bounty Program and Azure Bounty Program. Azure-related scope moved to Azure Bounty Program. Updated pentesting guidance.
- September 2, 2020: Added "training, documentation, samples, and community forum sites" to the list of out of scope submissions. Combined "Bounty Awards" and "Additional Information" sections.
- September 15, 2020: Added returned "forms.office.com" to bounty scope, removed "azure.microsoft.com/en-us/blog"
- September 21, 2020: Removed "www.office.com" from bounty scope, removed "portal.azure.com" from this bounty scope. "portal.azure.com" is covered under the Azure Bounty Program.
- January 11, 2021: Clarified that attachments.office.net, attachments.live.net, and attachments.outlook.live.net are not bounty eligible endpoints.
- January 28, 2021: Added to out of scope - vulnerabilities that rely on Swagger API.
- February 8, 2021: Updated list of “in-scope domains and endpoints”. Added admin.microsoft.com, www.office.com, webshell.suite.office.com, security.microsoft.com, compliance.microsoft.com, sharepointonline.com, livefilestore.com, 1drv.com, svc.ms, teams.live.com, assets-yammer.com to bounty scope. Removed msg.skype.com, asm.skype.com, and manage.windowsazure.com from bounty scope.
- July 7, 2021: Added to out of scope - vulnerabilities requiring bypassing SafeLinks.
- August 26, 2021: Added to out of scope - vulnerabilities that rely on Akamai ARL misconfiguration.
- September 14, 2021: Added to out of scope – vulnerabilities in Microsoft Partner portals, including partner.microsoft.com or aipartner.microsoft.com.
- February 24, 2022: Added clarification that vulnerabilities addressed via product documentation updates are out of scope.
- April 14, 2022: Added High Impact Scenarios and Updated In-Scope domains list.
- April 18, 2023: Added reference to the Microsoft Vulnerability Severity Classification for Online Services for the severity in eligible submissions. Updated bounty award table based on vulnerability type.
- April 27, 2023: Added bing.com to In-Scope Domains and Endpoints.
- June 1, 2023: Added Dependency Confusion Issues to Out-of-Scope.
- July 13, 2023: Added "Improper Input Validation" as a vulnerability type in the bounty award table.
- November 19, 2024: Temporary 50% increase in High Impact Scenario amounts for Zero Day Quest event.