Microsoft announces Defender bug bounty program
Microsoft has announced a new bug bounty program aimed at unearthing vulnerabilities in Defender-related products and services, and is offering participants the possibility to earn up to $20,000 for the most critical bugs.
The Microsoft Defender bug bounty program
Microsoft Defender includes various products and services that are build to secure and protect Microsoft users.
“The [Microsoft Defender Bounty Program] will begin with a limited scope, focusing on Microsoft Defender for Endpoint APIs, and will expand to include other products in the Defender brand over time,” the company has shared.
Participants should report “significant” vulnerabilities that have a “direct and demonstrable impact” on the security of Microsoft’s customers.
The following type of vulnerabilities are in-scope:
- Cross site scripting (XSS)
- Cross site request forgery (CSRF)
- Server side request forgery (SSRF)
- Cross-tenant data tampering or access
- Insecure direct object references
- Insecure deserialization
- Injection vulnerabilities
- Server-side code execution
- Significant security misconfiguration (when not caused by user)
- Using components with known vulnerabilities (full PoC of exploitability is required)
Participants that report vulnerabilities of Critical or Important severity could earn rewards between $500 to $20,000. The biggest rewards are reserved for bug hunters who deliver high-quality reports on critical remote code execution flaws.
“Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. Eligible submissions will be awarded the single highest qualifying award,” the company noted.
As per usual, in case of multiple reports for the same vulnerability, the first submission will be considered for the reward.
The bounty program’s scope is limited to technical vulnerabilities in Defender-related products and services.
Last month, Microsoft started an AI bug bounty program that offers researchers up to $15,000 if they find and report vulnerabilities in its AI-powered “Bing experience”.