Microsoft has expanded its Microsoft 365 Bug Bounty Program, offering broader services and clearer guidelines for security researchers. The updated program aims to encourage global participation by offering rewards ranging from $500 for moderate vulnerabilities to up to $27,000 for critical issues. The initiative continues Microsoft’s commitment to strengthening cybersecurity by leveraging the expertise of external security researchers to address vulnerabilities in key M365 services such as Office 365 and Microsoft Account.
Researchers are invited to report previously unknown vulnerabilities that directly impact user security. Submissions must include clear, reproducible proof of concept to demonstrate the issue, and Microsoft emphasizes the importance of responsible and ethical testing. Researchers are expected to avoid unauthorized data access, denial-of-service attacks, and social engineering techniques. Issues like cross-site scripting, insecure deserialization, and SQL injection are common targets for submission.
The program also includes additional incentives for high-impact scenarios, such as remote code execution and cross-tenant data leakage, with bonuses ranging from 15% to 80%.
Moreover, Microsoft’s “Zero Day Quest” event further boosts rewards by up to 50% for vulnerabilities found during the event period. The company’s goal is to tackle critical vulnerabilities swiftly and reward those who contribute to making the platform more secure.
Microsoft’s updates to the M365 Bug Bounty Program reflect its ongoing trust in the global research community and its dedication to a collaborative approach to cybersecurity. This initiative is part of a broader effort that aligns with other bounty programs for services like Azure and Dynamics 365. By enhancing the program, Microsoft continues to demonstrate its commitment to providing secure solutions for its users while fostering a cooperative environment for tackling cyber threats.
