Microsoft Adds OneDrive to Bug Bounty Program

Microsoft announced this week at the CanSecWest conference in Vancouver, Canada, that it has added OneDrive to the company’s Online Services Bug Bounty Program.

The tech giant says it’s prepared to pay between $500 and $15,000 for vulnerabilities in the online cloud storage service.

Researchers are invited to submit reports about cross-site scripting (XSS), cross-site request forgery (CSRF), insecure direct object references, injection flaws, authentication bugs, privilege escalations, server-side code execution, and significant security misconfiguration issues found on *.onedrive.live.com and *.onedrive.com.

There haven’t been any reports about significant vulnerabilities in Microsoft OneDrive, but researchers did warn last year that it was one of the several popular cloud storage services that malicious actors could abuse in man-in-the-cloud (MITC) attacks. Experts detailed several security design flaws in the affected products that made the attacks possible.

Microsoft announced the addition of OneDrive to its bug bounty program at CanSecWest, where the company’s representatives received the details of six new Windows vulnerabilities that Pwn2Own contestants leveraged for system-level exploits. Memory corruption vulnerabilities in Windows were leveraged by white hat hackers to break Flash Player, Chrome and the company’s Edge browser, in which two new flaws have been found by researchers.

Microsoft made several modifications to its bug bounty programs last year. In April, the company announced the addition of Azure to its Online Services Bug Bounty Program, and in October it promised researchers up to $15,000 for vulnerabilities in .NET core and ASP.NET Beta.

The company also doubled its rewards for a limited period of time for authentication vulnerabilities. This helped Wesley Wineberg, senior security research engineer at Synack, earn $24,000 for reporting an authentication issue in Live.com.