Microsoft announces lucrative new bug bounty awards for M365 products and services
The new awards will focus on scenario-based weaknesses and offer bonuses of up to 30% for the most severe bugs
Microsoft has announced two brand-new awards for its Microsoft 365 bug bounty programmes, offering the highest potential payouts for eligible submissions.
The two new awards focus on scenario-based bugs, Microsoft said and will be available to the Dynamics 365 and Power Platform Bounty Program and the M365 Bounty Program.
The most severe bugs that could be used in high-impact scenarios will be awarded the biggest payouts with the potential for a 30% bonus on top of the vulnerability itself.
Microsoft lists several examples of high-impact scenarios in which it’s looking for reported bugs. Remote code execution (RCE) flaws attract the most lucrative payouts and the full 30% bonus, in some cases, while others such as privilege escalation issues, information disclosure, spoofing, tampering, and denial of service (DoS) bugs also lead to awards.
In Microsoft’s most recent ‘Patch Tuesday’, issued last week, a total of 145 vulnerabilities were addressed and the majority of these were privilege escalation and RCE issues.
RCE vulnerabilities accounted for close to a third of all the bugs that were patched, three of which were rated 9.8/10 for severity and two were wormable.
The severity of the reported bug, combined with the quality of the report itself and whether it can be executed in a high-impact scenario all impact the overall payout.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
There are six total scenarios Microsoft earmarked for bonuses, five of which are exclusive to the M365 Bounty Program. Each one has a unique common weakness enumeration (CWE) code with additional bonuses ranging between 15-30% of the initial bug’s reward.
The Dynamics 365 and Power Platform Bounty Program has just the one high-impact scenario which is ‘cross-tenant information disclosure’ - a condition that warrants a maximum reward of $20,000 if met.
Microsoft added scenario-based rewards to its cloud security bug bounty programs in October last year, offering larger bonuses of up to 50% and a total value of $60,000 for the most severe flaws affecting Azure services.
Cross-tenant data leakage in Azure Synapse Analytics, and compromise logging or auditing keys in Key Vault, were both made eligible for the maximum bonuses at the time.
The company announced in July last year that it awarded a total of $13.6 million in bug bounty payouts in the previous one-year period, a figure three times greater than what it awarded in 2019.

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.
-
Nissan employee data exposed in Oracle PeopleSoft zero-day attacksNews The car manufacturer has urged current and former employees to change banking passwords and remain vigilant for phishing emails
-
Why Apple is speeding up software patchingNews Apple is speeding up its software patching processes amid rising concerns that AI is helping hackers to spot and exploit flaws at a far quicker pace.
-
OpenAI expands 'Daybreak' cyber program: New tools, partnerships, and a cyber-focused GPT-5.5 aim to help 'patch the world'News The company has added new tools, signed up partners, and released its GPT-5.5-Cyber model more widely
-
AI is shrinking attack windows, and it’s forcing a complete rethink of cyber resilience – here’s how organizations can prepareNews Commvault has urged companies to improve their business continuity and resilience plans in the face of flaws spotted by AI
-
Anthropic targets vulnerability detection gains with Claude Security public beta — here's what users can expectNews The Claude Mythos developer is aiming for a more limited approach to cyber tooling for public consumption
-
Researchers warn millions of RDP and VNC servers are wide open to exploitationNews Researchers at Forescout spotted millions of RDP and VNC servers exposed online
-
Brace yourselves for a vulnerability explosion, Forescout warnsNews AI advances are helping identify software flaws at record pace and scale, but that's not the good news some would think
-
Ubuntu vulnerability exposes enterprises to root escalation, complete system compromiseNews The high-severity Ubuntu vulnerability allows an unprivileged local attacker to escalate privileges through the interaction of two standard system components
-
Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerabilityNews Threat actors have been exploiting the vulnerability to achieve root access since 2023
-
Millions of developers could be impacted by flaws in Visual Studio Code extensions – here's what you need to know and how to protect yourselfNews The VS Code vulnerabilities highlight broader IDE security risks, said OX Security