Microsoft announced this week at the CanSecWest conference in Vancouver, Canada, that it has added OneDrive to the company’s Online Services Bug Bounty Program.
The tech giant says it’s prepared to pay between $500 and $15,000 for vulnerabilities in the online cloud storage service.
Researchers are invited to submit reports about cross-site scripting (XSS), cross-site request forgery (CSRF), insecure direct object references, injection flaws, authentication bugs, privilege escalations, server-side code execution, and significant security misconfiguration issues found on *.onedrive.live.com and *.onedrive.com.
There haven’t been any reports about significant vulnerabilities in Microsoft OneDrive, but researchers did warn last year that it was one of the several popular cloud storage services that malicious actors could abuse in man-in-the-cloud (MITC) attacks. Experts detailed several security design flaws in the affected products that made the attacks possible.
Microsoft announced the addition of OneDrive to its bug bounty program at CanSecWest, where the company’s representatives received the details of six new Windows vulnerabilities that Pwn2Own contestants leveraged for system-level exploits. Memory corruption vulnerabilities in Windows were leveraged by white hat hackers to break Flash Player, Chrome and the company’s Edge browser, in which two new flaws have been found by researchers.
Microsoft made several modifications to its bug bounty programs last year. In April, the company announced the addition of Azure to its Online Services Bug Bounty Program, and in October it promised researchers up to $15,000 for vulnerabilities in .NET core and ASP.NET Beta.
The company also doubled its rewards for a limited period of time for authentication vulnerabilities. This helped Wesley Wineberg, senior security research engineer at Synack, earn $24,000 for reporting an authentication issue in Live.com.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- GoAnywhere MFT Users Warned of Zero-Day Exploit
- UK Car Retailer Arnold Clark Hit by Ransomware
- EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
- Google Fi Data Breach Reportedly Led to SIM Swapping
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
Latest News
- Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process
- US Downs Chinese Balloon Off Carolina Coast
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
