Finding a Microsoft 365 bug is now more lucrative than ever

Security researchers and white hat hackers will now be able to earn even more when finding bugs in Microsoft 356, Dynamics 365 and Microsoft’s Power Platform.

In a new blog post, the Microsoft Security Response Center revealed that it is raising the maximum awards for high-impact security flaws reported to the Dynamics 365 and Power Platform Bounty Program as well as the M365 Bounty Program.

Now when a cross-tenant information disclosure bug is found in Dynamics 365 and Power Platform, bug hunters can earn up to $20k. Meanwhile, remote code execution through untrusted input bugs in Microsoft 365 will be worth an additional 30 percent, unauthorized cross-tenant and cross identity sensitive data leakage will be worth an extra 20 percent and “confused deputy” vulnerabilities will worth an additional 15 percent.

These new bounty awards are part of Microsoft’s “continued efforts to partner with the security research community” as part of the software giant’s holistic approach to defending against security threats.

Finding bugs in on-premise Exchange, SharePoint and Skype for Business

In addition to expanding its bug bounty rewards in Microsoft 365, Dynamics 365 and Power Platform, Microsoft also recently added on-premise Exchange, SharePoint and Skype for Business to its Applications and On-Premises Servers Bounty Program.

This expanded bug bounty program makes it possible for security researchers who find and report vulnerabilities that affect on-premises servers to earn rewards ranging from $500 all the way up to $26k. 

It’s worth noting that “higher rewards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission” according to a separate blog post from the Microsoft Security Response Center.

When it comes to the severity multiplier for these kinds of bugs, server-side request forgery bugs are worth an additional 20 percent in both Exchange and Sharepoint.

Security researchers and white hat hackers interested in learning more can find out all the details by visiting Microsoft’s Applications and On-Premises Servers Bounty Program page.

Via BleepingComputer