For a few years, Google has been releasing various unpatched security vulnerabilities which are found by its researchers. Many of these include the bugs and vulnerabilities in Microsoft’s products. Now, to save themselves from any further embarrassment, Microsoft has launched its own bug bounty program in which Microsoft is willing to pay up to $30,000 to the security researchers and hackers for reporting various flaws in some of its services and products.
The only problem with this bug bounty program is that it is for a limited time contest which ends in 31st May 2017. Clearly, Microsoft wants to have the control over the vulnerability disclosure process since Google is having an upper hand for last two years when their researchers found vulnerabilities in Internet Explorer and Edge browsers and Internet Explorer and gave them Microsoft 90 days to fix the issue.
The specific domains in which the hackers can look for the vulnerabilities are:
The total list includes 18 domains and a further 37 eligible endpoints covered by the standard bug bounty where Microsoft wants hackers to dig deep and find vulnerabilities.
The vulnerabilities which are eligible for submission are:
- Cross Site Request Forgery (CSRF)
- Cross Site Scripting (XSS)
- Insecure direct object references
- Unauthorized cross-tenant data tampering or access (for multi-tenant services)
- Authentication Vulnerabilities
- Injection Vulnerabilities
- Privilege Escalation
- Server-side Code Execution
- Significant Security Misconfiguration (when not caused by user)
Although, the total 30,000 USD is a big amount, it does not match with the high price reward paid that is paid by Google for their Chromebook bug bounty which can grownup to $100,000. However, CloudFlare bug bounty reward is a simple t-shirt so if hackers are looking to make some bug bucks this is their chance.
For technical details, program description, submission eligibility, laws and legality about this bug bounty program visit Microsoft’s blog post here.