Microsoft announced this week at the CanSecWest conference in Vancouver, Canada, that it has added OneDrive to the company’s Online Services Bug Bounty Program.
The tech giant says it’s prepared to pay between $500 and $15,000 for vulnerabilities in the online cloud storage service.
Researchers are invited to submit reports about cross-site scripting (XSS), cross-site request forgery (CSRF), insecure direct object references, injection flaws, authentication bugs, privilege escalations, server-side code execution, and significant security misconfiguration issues found on *.onedrive.live.com and *.onedrive.com.
There haven’t been any reports about significant vulnerabilities in Microsoft OneDrive, but researchers did warn last year that it was one of the several popular cloud storage services that malicious actors could abuse in man-in-the-cloud (MITC) attacks. Experts detailed several security design flaws in the affected products that made the attacks possible.
Microsoft announced the addition of OneDrive to its bug bounty program at CanSecWest, where the company’s representatives received the details of six new Windows vulnerabilities that Pwn2Own contestants leveraged for system-level exploits. Memory corruption vulnerabilities in Windows were leveraged by white hat hackers to break Flash Player, Chrome and the company’s Edge browser, in which two new flaws have been found by researchers.
Microsoft made several modifications to its bug bounty programs last year. In April, the company announced the addition of Azure to its Online Services Bug Bounty Program, and in October it promised researchers up to $15,000 for vulnerabilities in .NET core and ASP.NET Beta.
The company also doubled its rewards for a limited period of time for authentication vulnerabilities. This helped Wesley Wineberg, senior security research engineer at Synack, earn $24,000 for reporting an authentication issue in Live.com.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
Latest News
- Russian Millionaire on Trial in Hack, Insider Trade Scheme
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Vulnerabilities in OpenEMR Healthcare Software Expose Patient Data
- Russia-Linked APT29 Uses New Malware in Embassy Attacks
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- The Effect of Cybersecurity Layoffs on Cybersecurity Recruitment
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
