Payment ceiling for Microsoft Applications Bounty Program is $10k higher than online services counterpart

Microsoft has launched a bug bounty program for 365 applications, with Microsoft Teams’ desktop client the sole in-scope target for now.

Announced yesterday (March 24), the Microsoft Applications Bounty Program will pay out bounty rewards of between $500 and $30,000 for valid security vulnerabilities – a substantially higher ceiling than the $20,000 on offer under its online services counterpart.

Five scenario-based awards ranging between $6,000 and $30,000 are on offer for remote code execution (RCE), authentication credential theft, privilege escalation, and XSS or similar flaws leading to arbitrary code execution with minimal or no user interaction.

Other valid vulnerability reports will attract rewards within the $500 to $15,000 range.


RELATED Facebook awards $55k bug bounty for vulnerabilities that could compromise its internal network


In a related development, valid vulnerability reports for Microsoft Teams are now eligible for a 200% bonus multiplier applied to points earned under the Researcher Recognition Program.

Determined by the bug’s severity and impact, points are accrued for vulnerabilities found on eligible applications and contribute towards Microsoft Security Response Center’s (MSRC) annual Most Valuable Security Researcher roll call.

Security researchers should continue to submit vulnerabilities found in Teams’ web browser application to Microsoft’s Online Services Bounty Program.

365 protection

Microsoft did not specify when other Microsoft 365 desktop clients, such as for OneDrive, Outlook, and PowerPoint, would be brought within scope for the new program.

“Partnering with the security research community is an important part of Microsoft’s holistic approach to defending against security threats,” said MSRC program manager Lynn Miyashita.

“As much of the world has shifted to working from home in the last year, Microsoft Teams has enabled people to stay connected, organized, and collaborate remotely.


Catch up on the latest bug bounty news


Miyashita added: “Microsoft and security researchers across the planet continue to partner to help secure customers and the technologies we use for remote collaboration.”

Microsoft Teams, a videoconferencing and business collaboration platform, reported a 50% surge to 115 million daily active users in the six months after Covid-19 was declared a pandemic.


RELATED Facebook awards $55k bug bounty for third-party vulnerabilities that could compromise its internal network