Microsoft has announced an extension to its Microsoft Office Bounty Program, which is now set to run until December 31, 2017.
Launched in mid-March 2017, the bounty program was initially set to run until June 15, 2017, promising payouts between $6,000 to $15,000, depending on the discovered vulnerability’s severity and type. The program was launched for Office Insider Builds on Windows.
Microsoft now says that researchers can submit their bug reports until December 31, 2017, and that the extension is retroactive for any cases submitted during the interim. The company is looking for issues in the Office Insider Builds, which provide users with early access to new Office capabilities and security innovations.
“The engagement we have had with the security community has been great and we are looking to continue that collaboration on the Office Insider Builds on Windows. This program represents a great chance to identify vulnerabilities prior to broad distribution,” Phillip Misner, Principal Security Group Manager, Microsoft Security Response Center, notes in a blog post.
Participating researchers can earn the maximum bug reward of $15,000 for vulnerabilities such as Elevation of privilege via Office Protected View sandbox escape; Macro execution by bypassing security policies to block Office macros in Word, Excel, and PowerPoint; and Code execution by bypassing Outlook’s automatic attachment block policies for a predefined set of extensions.
Only high quality reports on these types of vulnerabilities will be awarded the maximum payout. Low quality reports, the company says, won’t be awarded more than $9,000. Proof of concept is required for reports to be eligible, but a functioning exploit isn’t, Microsoft explains in the bounty program’s terms page.
Eligible submissions should identify “an original and previously unreported vulnerability in the current Office Insider build on a fully patched Windows 10 desktop,” the tech giant says. Submissions that can be reproduced on the previous build but not on the current aren’t considered eligible.
Microsoft also notes that “the first eligible external report received on an internally known issue under active development will receive a maximum of $1,500.”
Participating researchers should send their submissions to secure@microsoft.com.
Related: Intel Offers Up to $30,000 for Hardware Vulnerabilities