Microsoft launches bug bounty programme for Teams

The Microsoft Teams app logo displayed on a smartphone

Microsoft has launched a bug bounty reward programme for its Teams desktop client with potential rewards of up to $30,000.

The reward scheme falls under the new Microsoft Applications Bounty Programme, which so far only covers Microsoft Teams but will be expanded to include others in the near future.

Lynn Miyashita, programme manager at Microsoft Security Response Centre (MSRC), said: “Partnering with the security research community is an important part of Microsoft’s holistic approach to defending against security threats. As much of the world has shifted to working from home in the last year, Microsoft Teams has enabled people to stay connected, organized, and collaborate remotely.

“Microsoft and security researchers across the planet continue to partner to help secure customers and the technologies we use for remote collaboration.”

The programme includes scenario-based bounty awards for vulnerabilities that have the highest potential impact on customer privacy and security. The rewards for this range between $6,000 to $30,000.

There are also general bounty rewards for other valid vulnerability reports for the Teams desktop client, with the rewards ranging from $500 to $15,000. Microsoft will also accept submissions for Teams online services, but those will be rewarded under the Online Services Bounty Program, where rewards are between $500 to $20,000.

Valid reports for Microsoft Teams research are also eligible for a 2x bonus multiplier under the Research Recognition Programme, the company has confirmed. These points contribute to a researcher’s eligibility for the annual MSRC Most Valuable Security Researcher list.

In August 2020, it emerged that Microsoft paid out $13.7m (£10.5m) across 15 bounty programmes during the last 12 months, over three times the amount paid to researchers in the same period during 2018/2019. The biggest single reward was $200,000, with 1,226 eligible vulnerability reports being filed during the period.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.