Connect with us

Hi, what are you looking for?



Microsoft Extends Office Bounty Program

Microsoft has announced an extension to its Microsoft Office Bounty Program, which is now set to run until December 31, 2017.

Microsoft has announced an extension to its Microsoft Office Bounty Program, which is now set to run until December 31, 2017.

Launched in mid-March 2017, the bounty program was initially set to run until June 15, 2017, promising payouts between $6,000 to $15,000, depending on the discovered vulnerability’s severity and type. The program was launched for Office Insider Builds on Windows.

Microsoft now says that researchers can submit their bug reports until December 31, 2017, and that the extension is retroactive for any cases submitted during the interim. The company is looking for issues in the Office Insider Builds, which provide users with early access to new Office capabilities and security innovations.

“The engagement we have had with the security community has been great and we are looking to continue that collaboration on the Office Insider Builds on Windows. This program represents a great chance to identify vulnerabilities prior to broad distribution,” Phillip Misner, Principal Security Group Manager, Microsoft Security Response Center, notes in a blog post.

Participating researchers can earn the maximum bug reward of $15,000 for vulnerabilities such as Elevation of privilege via Office Protected View sandbox escape; Macro execution by bypassing security policies to block Office macros in Word, Excel, and PowerPoint; and Code execution by bypassing Outlook’s automatic attachment block policies for a predefined set of extensions.

Only high quality reports on these types of vulnerabilities will be awarded the maximum payout. Low quality reports, the company says, won’t be awarded more than $9,000. Proof of concept is required for reports to be eligible, but a functioning exploit isn’t, Microsoft explains in the bounty program’s terms page.

Eligible submissions should identify “an original and previously unreported vulnerability in the current Office Insider build on a fully patched Windows 10 desktop,” the tech giant says. Submissions that can be reproduced on the previous build but not on the current aren’t considered eligible.

Advertisement. Scroll to continue reading.

Microsoft also notes that “the first eligible external report received on an internally known issue under active development will receive a maximum of $1,500.”

Participating researchers should send their submissions to [email protected].

Related: Intel Offers Up to $30,000 for Hardware Vulnerabilities

Related: Microsoft Extends Edge Bounty Program Indefinitely

Related: Microsoft Launches Windows Bug Bounty Program

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.