1 week ago
Microsoft has apparent a new bug advantage affairs aimed at the Microsoft Defender aegis platform, with rewards amid $500 and $20,000.
While college awards are possible, Microsoft retains sole acumen to actuate the final accolade aggregate based on vulnerability severity, impact, and acquiescence quality.
The accomplished accolade is accessible for high-quality letters of analytical severity alien cipher beheading vulnerabilities.
Currently, the Microsoft Defender Bounty Program is bound in ambit and will focus alone on Microsoft Defender for Endpoint APIs (Application Programming Interfaces). However, it is accepted to aggrandize to accommodate added Defender articles in the future.
"The Microsoft Defender Bounty Program invites advisers above the apple to analyze vulnerabilities in Defender articles and casework and allotment them with our team," said MSRC Senior Program Manager Madeline Eckert.
"Microsoft's Bug Bounty programs represent one of the abounding means we advance in partnerships with the all-around aegis analysis association to advice defended Microsoft customers."
| Vulnerability Type | Report Quality | Severity | |||
| Critical | Important | Moderate | Low | ||
Remote Code Execution |
High Medium Low |
$20,000 $15,000 $10,000 |
$15,000 $10,000 $5,000 |
$0 |
$0 |
Elevation of Privilege |
High Medium Low |
$8,000 $4,000 $3,000 |
$5,000 $2,000 $1,000 |
$0 |
$0 |
Information Disclosure |
High Medium Low |
$8,000 $4,000 $3,000 |
$5,000 $2,000 $1,000 |
$0 |
$0 |
Spoofing |
High Medium Low |
N/A |
$3,000 $1,200 $500 |
$0 |
$0 |
Tampering |
High Medium Low |
N/A |
$3,000 $1,200 $500 |
$0 |
$0 |
| Denial of Service | High/Low | Out of Scope |
The complete account of in-scope aegis vulnerabilities includes:
- Cross-site scripting (XSS)
- Cross-site appeal bogus (CSRF)
- Server-side appeal bogus (SSRF)
- Cross-tenant abstracts analytical or access
- Insecure absolute article references
- Insecure deserialization
- Injection vulnerabilities
- Server-side cipher execution
- Significant aegis misconfiguration (when not acquired by the user)
- Using apparatus with accepted vulnerabilities (Requires abounding affidavit of abstraction (PoC) of exploitability. For example, artlessly anecdotic an age-old library would not authorize for an award).
Per Microsoft's guidelines, the advantage will be awarded to the antecedent acquiescence if assorted aegis advisers book assorted bug letters apropos the aforementioned issue.
Moreover, if a acquiescence qualifies for assorted advantage programs, the advisers will accept the accomplished distinct payout accolade from a distinct advantage program. Further capacity apropos the Microsoft Bounty Program are accessible on this FAQ page.
Today, Microsoft additionally appear that it paid $58.9 actor in rewards to 1,147 aegis advisers common who appear 446 acceptable vulnerabilities above 22 bug advantage programs.
One ages earlier, the aggregation appear a new AI advantage program focused on the AI-driven Bing experience, with rewards of up to $15,000.
Last year, Redmond added on-premises Exchange, SharePoint, and Skype for Business to its bug advantage affairs and increased the best awards for high-impact aegis flaws appear through its Microsoft 365 program.
English (US) · 
Indonesian (ID) ·