Microsoft has announced two brand-new awards for its Microsoft 365 bug bounty programmes, offering the highest potential payouts for eligible submissions.
The two new awards focus on scenario-based bugs, Microsoft said and will be available to the Dynamics 365 and Power Platform Bounty Program and the M365 Bounty Program.
The most severe bugs that could be used in high-impact scenarios will be awarded the biggest payouts with the potential for a 30% bonus on top of the vulnerability itself.
Microsoft lists several examples of high-impact scenarios in which it’s looking for reported bugs. Remote code execution (RCE) flaws attract the most lucrative payouts and the full 30% bonus, in some cases, while others such as privilege escalation issues, information disclosure, spoofing, tampering, and denial of service (DoS) bugs also lead to awards.
In Microsoft’s most recent ‘Patch Tuesday’, issued last week, a total of 145 vulnerabilities were addressed and the majority of these were privilege escalation and RCE issues.
RCE vulnerabilities accounted for close to a third of all the bugs that were patched, three of which were rated 9.8/10 for severity and two were wormable.
The severity of the reported bug, combined with the quality of the report itself and whether it can be executed in a high-impact scenario all impact the overall payout.
There are six total scenarios Microsoft earmarked for bonuses, five of which are exclusive to the M365 Bounty Program. Each one has a unique common weakness enumeration (CWE) code with additional bonuses ranging between 15-30% of the initial bug’s reward.
The Dynamics 365 and Power Platform Bounty Program has just the one high-impact scenario which is ‘cross-tenant information disclosure’ - a condition that warrants a maximum reward of $20,000 if met.
Microsoft added scenario-based rewards to its cloud security bug bounty programs in October last year, offering larger bonuses of up to 50% and a total value of $60,000 for the most severe flaws affecting Azure services.
Cross-tenant data leakage in Azure Synapse Analytics, and compromise logging or auditing keys in Key Vault, were both made eligible for the maximum bonuses at the time.
The company announced in July last year that it awarded a total of $13.6 million in bug bounty payouts in the previous one-year period, a figure three times greater than what it awarded in 2019.
-
What does modern security success look like for financial services?Sponsored As financial institutions grapple with evolving cyber threats, intensifying regulations, and the limitations of ageing IT infrastructure, the need for a resilient and forward-thinking security strategy has never been greater
-
Yes, legal AI. But what can you actually do with it? Let’s take a look…Sponsored Legal AI is a knowledge multiplier that can accelerate research, sharpen insights, and organize information, provided legal teams have confidence in its transparent and auditable application
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
