Secure research starts with responsible testing.

Microsoft 365 Insider Builds on Windows Bounty Program

Partner with Microsoft to strengthen our products and services by identifying and reporting security vulnerabilities that could impact our customers.

IMPORTANT: The Microsoft Bounty Program is subject to these terms and those outlined in the Microsoft Bounty Terms and Conditions, Microsoft Bounty Legal Safe Harbor, Rules of Engagement, Coordinated Vulnerability Disclosure (CVD), Bounty Program Guidelines, and the Microsoft Bounty Program page.

PROGRAM DESCRIPTION

The Microsoft 365 Insider on Windows Bounty Program invites researchers to identify security vulnerabilities in Word, Excel, Outlook, OneNote and PowerPoint in the Microsoft 365 Insider Preview on Windows and share them with our team. Qualified submissions are eligible for bounty awards from $500 to $30,000 USD. This includes third-party and open-source components included in the service. Please note that qualifying reports must demonstrate a qualifying security impact on the specified service.

ELIGIBLE SUBMISSIONS

The goal of the Microsoft Bug Bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers.

In addition to the eligibility requirements listed on the Bounty Program Guidelines page, vulnerability submissions must meet the following criteria to be eligible for bounty awards:

Such vulnerability must reproduce in one of the in-scope products or services.
Include clear, concise, and reproducible steps, either in writing or in video format.
- Provide our engineers the information necessary to quickly reproduce, understand, and fix the issue.
- Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.
Each proof of concept must demonstrate the vulnerability against Word, Excel, Outlook, PowerPoint, OneNote on Current Channel (Preview) on a fully patched version of Windows 11.
Indicate in the vulnerability submission which high impact scenario (if any) your report qualifies for and describe the attack vector for the vulnerability.

We request researchers include the following information to help us quickly assess their submission:

Submit through the MSRC Researcher Portal.

Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.

SCOPE

Vulnerabilities submitted in the following Product(s) are eligible under this bounty program:

Word, Excel, Outlook, PowerPoint, OneNote on Current Channel (Preview)

GETTING STARTED

Please follow the guidance below to create a test account for security testing and probing. Additionally, please follow the Research Rules of Engagement to avoid harm to customer data, privacy, and service availability. If in doubt, please contact bounty@microsoft.com.

In all cases, where possible, please include the string “MSOBB” in your account name and/or tenant name to identify it as being used for security research.

To get started, join the Microsoft 365 Insider program. For more information, see:

Example of Elevation of privilege via Protected View sandbox escape

To help keep users safe, Microsoft 365 uses Protected View to open untrusted documents. We are looking for M365-based techniques to escape the sandbox and other privilege escalations.

Examples for Bypass of default security policy category

Policies block macro execution by default
By default, the macro security policies block execution of macros without user interaction, or completely disable the ability to enable macros for documents originating from the Internet. We are looking for vulnerabilities that would allow automatic macro execution in M365 apps included in the bounty scope without additional user interaction in the default configuration and without trusting the document or removing the mark of the Web.

Policy that blocks by default certain types of Outlook
Several file extensions are currently blocked by default as attachments in Outlook. We’re looking for techniques that will bypass the default block and allow those formats as email attachments (for example .exe files).

For more information on blocked attachments in Outlook, please check here.

BOUNTY AWARDS

Bounty awards range from $500 up to $30,000 USD. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. If a single submission is eligible for multiple awards, the submissions will be awarded the single highest qualifying award.

Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgement if their submission leads to a vulnerability fix; they may also earn points in our Researcher Recognition Program to receive swag and a secure place on the Microsoft Most Valuable Researcher list.

MICROSOFT 365: HIGH-IMPACT SCENARIO AWARDS

Scenario	Maximum Award
Unauthenticated¹ non-sandboxed code execution with no user interaction. MSRC Case must contain video proof of concept (POC) demonstrating the vulnerability upon submission in order to qualify for the scenario award. For an Outlook scenario the video proof of concept (POC) should demonstrate the vulnerability in Outlook Preview Pane upon submission.	$30,000

¹Unauthenticated attacks are only those attacks that require no credentials.

GENERAL AWARDS

Vulnerability Type	Report Quality	Severity
Vulnerability Type	Report Quality	Critical	Important
Remote Code Execution	High Medium Low	$15,000 $12,000 $9,000	$10,000 $7,000 $5,000
Elevation of Privilege¹	High Medium Low	$15,000 $12,000 $9,000	$8,000 $5,000 $3,000
Security feature Bypass²	High Medium Low	$8,000 $5,000 $3,000	$3,000 $1,200 $500

¹Elevation of privilege such as

Office Protected View sandbox escape (excludes vulnerabilities in components and libraries not installed by Office or AppContainer sandbox, that are applicable to any application using them).
Elevation from current user to a higher privilege account.

²Bypassing security policies that block certain functionality by default (for example default block of Office macros, default block of older file formats, default block of certain types of attachments in Word, Excel, PowerPoint, OneNote and Outlook. The Office security baseline (Security baseline for Microsoft 365 Apps for enterprise - Deploy Office | Microsoft Learn) contains a list of security policies in scope.

OUT OF SCOPE SUBMISSIONS AND VULNERABILITIES

Microsoft is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty award.

If your submission is evaluated as out of scope for this individual bounty program, it may still qualify for an award under the Standard Award Policy.

Here are some of the common low-severity or out-of-scope issues that typically do not earn bounty awards:

Publicly-disclosed vulnerabilities which have already been reported to Microsoft or are already known to the wider security community.
Any submission that does not demonstrate testing and reproduction on the latest Microsoft 365 Insider, Current Channel (Preview) on a fully patched version of Windows 11 at the time of submission. Older builds, online services, older operating systems, and Mac, iOS, Android, or other operating systems that are not Windows are not eligible for bounty rewards.
Vulnerabilities:
- In user-generated content.
- Requiring extensive or unlikely user actions found by disabling existing security features.
- In by-design product behavior where specific security policy doesn’t apply by default, for example:
  - files opened from trusted locations where VBA macros are allowed to be executed.
  - opening files from trusted location or printing documents, where Protected view is not enabled by default.
Components not installed by Office.
Vulnerabilities based on third parties that do not demonstrate a qualifying security impact on the specified service.
Windows Implementation of Application container.
Training, documentation, samples, and community forum sites related to 365 Insider Builds on Windows Bounty Program products and services are out-of- scope for bounty awards.
Reports from automated tools or scans that do not include a POC and additional analysis to demonstrate the exploitability of the vulnerability.

Microsoft reserves the right to reject any submission that we determine, at our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty.

ADDITIONAL INFORMATION

For additional information please see our FAQ.

REVISION HISTORY

December 7, 2018: Updated duplicate report policy and added revision history.
August 29, 2022: Added MDAG Scope and Attack Scenario.
January 20, 2023: Updated from "Office Insider" to "Microsoft 365 Insider".
February 27, 2024: Increased the maximum bounty award to $30,000 USD for high impact scenarios, such as unauthenticated non-sandboxed code execution with no user interaction. Expanded the scope to include Security feature bypass and Microsoft OneNote. Introduced a tiered approach to awards for vulnerabilities that meet critical and important severity and (high/medium/low) report quality.
May 13, 2025: Updated Research Rules of Engagement section.
July 28, 2025: Updated High Impact Scenario Award for Unauthenticated1 non-sandboxed code execution with no user interaction to include POC requirements.
December 11, 2025: Updated hyperlinks and standardized language.