Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Temporarily Doubles Bounty Payouts for Online Services Bugs

For the next two months, developers who report vulnerabilities as part of Microsoft’s Online Services bounty program will receive doubled rewards for their work, the company announced.

For the next two months, developers who report vulnerabilities as part of Microsoft’s Online Services bounty program will receive doubled rewards for their work, the company announced.

Starting on March 1, 2017 until May 1, 2017, eligible vulnerability discoveries submitted for Microsoft Office 365 Portal and Microsoft Exchange Online will be rewarded twice as much as before. 

Developers interested in getting the double rewards should be looking for vulnerabilities in six of the company’s domains:,,, *, and

Microsoft launched the Online Services Bug Bounty program in September 2014 , and expanded it in April 2015 and August 2015 to add various Azure and Office 365 properties. Last year, the company added OneDrive to the program.

The company would normally pay between $500 and $15,000 for vulnerabilities in the online services, but bugs submitted during March and April can bring payments between $1,000 and $30,000. All of the vulnerabilities listed in the Online Services Bug Bounty Terms are eligible for the increased bounties.

On its Online Services Bug Bounty portal, Microsoft lists as eligible submissions the following types of vulnerabilities: Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Unauthorized cross-tenant data tampering or access (for multi-tenant services), Insecure direct object references, Injection Vulnerabilities, Authentication Vulnerabilities, Server-side Code Execution, Privilege Escalation, Significant Security Misconfiguration (when not caused by user).

“We realize the desire of researchers and customers to security test our services to ensure they can trust us and our solutions. We also believe that if a researcher informs us of a security flaw in our Office 365 services, they should be awarded for protecting us. These discoveries along with our internal security testing efforts contribute to keeping our users safe,” Akila Srinivasan and Travis Rhodes, Microsoft Security Response Center, note in a blog post.

Related: Darknet Marketplace Hansa Launches Bug Bounty Program

Related: Netgear Launches Bug Bounty Program

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet