PROGRAM DESCRIPTION

Microsoft 365 and Microsoft Office Servers are your productivity solutions across work and life, designed to help you achieve more with innovative Office apps, intelligent cloud services, and world-class security. The Microsoft Applications and On-Premises Servers Bounty Program invites researchers across the globe to identify vulnerabilities in specific Microsoft applications and on-premises servers and share them with our team. Qualified submissions are eligible for bounty rewards from $500 to $30,000 USD.

This bounty program is subject to these terms and those outlined in the Microsoft Bounty Terms and Conditions

IN-SCOPE SERVICES AND PRODUCTS

Vulnerabilities submitted in the following apps and on-premises are eligible under this bounty program. This list of in-scope apps and on-premises servers reflects high-priority, high-impact security research areas and will continue to evolve over time.  

Related Bounty Programs

Submissions identifying vulnerabilities that reproduce only in online services will be reviewed under the Online Services Bounty Program. For eligible bounty targets and awards for research in other Office products, please see the Office Insider Bounty Program. All submissions are reviewed for bounty eligibility, so don’t worry if you aren’t sure where your submission fits. We will route your report to the right program. 

GETTING STARTED

Teams

Please create a test account and test tenants for security testing and probing.

  • Microsoft Teams desktop client:
    • Sign up for Microsoft Teams free here.
    • To get started with Microsoft 365 for business, you can sign up for a free 1-month trial here.
    • Learn more about Teams on our documentation page here.
    • Learn more about the latest Teams features here.
  • Microsoft Teams mobile applications:
    • Download the iOS application here.
    • Download the Android application here.

Exchange On-Premises

Please create a test account and test tenants for security testing and probing. 

Overview of Exchange

Get the Latest Server and Update bites from...

Installation

After Installation

Installation Issues...

Other Getting Started Websites

SharePoint On-Premises

Skype for Business On-Premises

ELIGIBLE SUBMISSIONS

The goal of the bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers using the latest version of the application.

Vulnerability submissions must meet the following criteria to be eligible for bounty awards:

  • Identify a vulnerability that was not previously reported to Microsoft.
  • Such vulnerability must be of Critical or Important severity.
  • Tested and reproducible on the latest version of the application.
  • Tested and reproducible on a fully patched, supported OS including Windows, macOS, Linux, iOS, or Android (where applicable).
    • More information on the supported OS versions for Teams can be found here.
  • Include clear, concise, and reproducible steps, either in writing or in video format, providing our engineering team the information necessary to quickly reproduce, understand, and fix the issues.
    • Find examples here
  • Using component with known vulnerabilities 
    • Requires full proof of concept (PoC) of exploitability. For example, simply identifying an out-of-date library would not qualify for an award.

We request researchers include the following information to help us quickly assess their submission

  • Indicate in the vulnerability submission which high impact scenario (if any) your report qualifies for

Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.

BOUNTY AWARDS

Bounty awards range from $500 up to $30,000 USD. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgment if their submission leads to a vulnerability fix, and points in our Researcher Recognition Program.

If a reported vulnerability does not qualify for a bounty award under the High-Impact Scenarios, it may be eligible for a bounty award under General Awards. Eligible submissions will be awarded the single highest qualifying award.

Teams Desktop: High-Impact Scenario Awards

Scenario

Maximum Award

Remote code execution (native code in the context of the current user) with no user interaction

$30,000

Ability to obtain authentication credentials1 for other users* (note: does not include phishing)

$15,000

XSS or other (remote) code injection resulting in the ability to execute arbitrary scripts in the context of teams.microsoft.com or teams.live.com with no user interaction

$10,000

Elevation of privilege2 which traverses an operating system user boundary

$10,000

XSS or other (remote) code injection resulting in the ability to execute arbitrary scripts in the context of teams.microsoft.com or teams.live.com with minimal3 user interaction

$6,000

*Testing for vulnerabilities should only be performed on tenants in subscriptions/accounts owned by the program participant.

1Authentication credentials includes, without limitation, authentication tokens.

2This includes, without limitation, elevation of privilege in the macOS updater.

3Minimal user interaction includes, without limitation, the in-app native experience such as previewing a document or expanding a message.

 

Teams Mobile: High-Impact Scenario Awards

 

Scenario

Maximum Award

Remote code execution (within application sandbox) with no user interaction

$30,000

Ability to obtain authentication credentials1 for other users* (note: does not include phishing)

$15,000

*Testing for vulnerabilities should only be performed on tenants in subscriptions/accounts owned by the program participant.

1Authentication credentials includes, without limitation, authentication tokens.

Exchange On-Premises and SharePoint On-Premises: High-Impact Scenario Awards

 

Scenario

Severity Multiplier

EXCHANGE ONLY: Server-Side Request Forgery allows an attacker to make server-side HTTP requests to arbitrary URLs

20%

SHAREPOINT ONLY: Authenticated Server-Side Request Forgery allows an attacker to make authenticated server-side HTTP requests to arbitrary URL

20%

Insecure deserialization of user-controllable data, leading to remote code execution on server 

30%

Arbitrary file write of user-controlled data on user-controlled location on the server

20%

Authentication bypass allows for unauthenticated exploitation which results in mass exploitation of vulnerabilities 

20%

Vulnerabilities within Exchange Emergency Mitigation Service (EEMS) 

15%

*Testing for vulnerabilities should only be performed on tenants in subscriptions/accounts owned by the program participant.

 

General Awards

Security Impact

Report Quality

Severity

Critical

Important

Moderate

Low

Remote Code Execution

High

Medium

Low

$20,000

$15,000

$10,000

$15,000

$10,000

$5,000

$0

$0

Elevation of Privilege

High

Medium

Low

$8,000

$4,000

$3,000

$5,000

$2,000

$1,000

$0

$0

Information Disclosure

High

Medium

Low

$8,000

$4,000

$3,000

$5,000

$2,000

$1,000

$0

$0

Spoofing

High

Medium

Low

N/A

$3,000

$1,200

$500

$0

$0

Tampering

High

Medium

Low

N/A

$3,000

$1,200

$500

$0

$0

Denial of Service

High/Low

Out of Scope

N/A: vulnerabilities resulting in the listed security impact do not qualify for this severity category.

Sample high- and low-quality reports are available here.  

In all scenarios, please follow the Research Rules of Engagement to ensure your research does not harm customer data, privacy, or service availability. If in doubt, please contact bounty@microsoft.com.

IN SCOPE VULNERABILITIES

The following are examples of vulnerabilities that may lead to one or more of the above security impacts:  

  • Cross-site scripting (XSS)  
  • Cross site request forgery (CSRF)  
  • Cross-tenant data tampering or access  
  • Insecure direct object references  
  • Insecure deserialization  
  • Injection vulnerabilities  
  • Server-side code execution 
  • Server-side request forgery (SSRF)  
  • Significant security misconfiguration (when not caused by user)  
  • Using component with known vulnerabilities 
    • Requires full proof of concept (PoC) of exploitability. For example, simply identifying an out-of-date library would not qualify for an award. 

RESEARCH RULES OF ENGAGEMENT

The Microsoft Applications and On-Premises Servers Bounty Program scope is limited to technical vulnerabilities in applications and on-premises servers products. The following are not permitted: 

  • Gaining access to any data that is not wholly your own.
    • For example, you are allowed and encouraged to create a small number of test accounts and/or trial tenants for the purpose of demonstrating and proving cross-account or cross-tenant data access. However, it is prohibited to use one of these accounts to access data that is not your own. 
  • Attempting phishing or other social engineering attacks against our employees. The scope of this program is limited to technical vulnerabilities in the specified Microsoft on-premises products. 
  • Using our services in a way that violates the terms for that service. 

Even with these prohibitions, Microsoft reserves the right to respond to any actions on its networks that appear to be malicious. 

OUT OF SCOPE SUBMISSIONS AND VULNERABILITIES

Microsoft is happy to receive and review each submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty reward. Here are some of the common low-severity or out of scope issues that typically do not earn bounty rewards:  

  • Publicly disclosed vulnerabilities which have already been reported to Microsoft or are already known to the wider security community 
  • Vulnerability patterns or categories for which Microsoft is actively investigating broad mitigations 
  • Vulnerabilities that rely on default security settings being downgraded or the system to use uncommon configuration 
  • Out of Scope vulnerability types, including: 
    • Server-side information disclosure such as IPs, server names and most stack traces 
    • Low impact CSRF bugs (such as logoff) 
    • Denial of Service issues 
    • Sub-Domain Takeovers 
    • Cookie replay vulnerabilities 
    • URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability) 
    • ”Cross Site Scripting” bugs in SharePoint that require “Designer” or higher privileges in the target’s tenant 
  • Vulnerabilities based on user configuration or action, for example: 
    • Vulnerabilities that rely on default security settings being downgraded or the system to use uncommon configuration 
    • Vulnerabilities requiring extensive or unlikely user actions 
    • Vulnerabilities in user-created content or applications. 
      • For example, in a *.sharepoint.com domain, if a tenant has publicly exposed their own html page with any kind of vulnerability (i.e. DOM-based XSS) this bug is not eligible for bounty, and will not be accepted as a vulnerability 
    • Security misconfiguration of a service by a user, such as the enabling of HTTP access on a storage account to allow for man-in-the-middle (MiTM) attacks 
    • Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) 
    • Vulnerabilities used to enumerate or confirm the existence of users or tenants 
  • Vulnerabilities based on third party software, extensions, or platform technologies that are not unique to in scope applications 
  • Vulnerabilities on mobile applications that are modified after downloading from the app store 
  • Vulnerabilities in the web application that only affect unsupported browsers and plugins 
  • Training, documentation, samples, and community forum sites related to Microsoft applications or on-premises servers are not in scope for bounty 
  • Vulnerabilities requiring bypassing SafeLinks, a protection feature within Outlook 

We reserve the right to accept or reject any submission that we determine, in our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty. 

ADDITIONAL INFORMATION

For additional information, please see our FAQ.

  • If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission. 
  • If a duplicate report provides us with new information that was previously unknown to Microsoft, we may award a differential to the duplicate submission.  
  • If a submission is potentially eligible for multiple bounty programs, you will receive the single highest payout award from a single bounty program.
  • Microsoft reserves the right to reject any submission at our sole discretion that we determine does not meet these criteria. 

REVISION HISTORY

  • March 24, 2021: Program launched.
  • July 19, 2021: Added Teams mobile applications as in scope product.
  • April 5, 2022: Added Exchange on-premises, SharePoint on-premises, and Skype for Business on-premises to bounty scope and added High Impact Scenarios for Exchange on-premises and SharePoint on-premises.