Microsoft Bounty Programs | MSRC

Microsoft Bug Bounty Program. Microsoft strongly believes close partnerships with researchers make customers more secure. Security researchers play an ... Skiptomaincontent MicrosoftBugBountyProgram Microsoftstronglybelievesclosepartnershipswithresearchersmakecustomersmoresecure.Securityresearchersplayanintegralroleintheecosystembydiscoveringvulnerabilitiesmissedinthesoftwaredevelopmentprocess.Eachyearwepartnertogethertobetterprotectbillionsofcustomersworldwide. IfyouareasecurityresearcherthathasfoundavulnerabilityinaMicrosoftproduct,service,ordevicewewanttohearfromyou.Ifyourvulnerabilityreportaffectsaproductorservicethatiswithinscopeofoneofourbountyprogramsbelow,youmayreceiveabountyawardaccordingtotheprogramdescriptions.Evenifitisnotcoveredunderanexistingbountyprogram,wewillpubliclyacknowledgeyourcontributionswhenwefixthevulnerability.Allvulnerabilitysubmissionsarecountedin ourResearcherRecognitionProgramandleaderboard,eveniftheydonotqualifyforbountyaward.  Clickheretosubmitasecurityvulnerability  TheMicrosoftBugBountyProgramsaresubjecttothelegaltermsandconditionsoutlinedhere,andourbountySafeHarborpolicy.  Letthehuntbegin! Ourbugbountyprogramsaredividedby technologyareathoughtheygenerallyhavethesamehighlevelrequirements:   Wewanttoawardyou Wearelookingfornew Avoidharmtocustomerdata Followco-ordvulnerabilitydisclosure ProgramName Startdate LastUpdated Enddate Eligibleentries BountyRange MicrosoftAzure 2014-09-23 2021-10-18 Ongoing VulnerabilityreportsonMicrosoftAzurecloudservices  Upto$60,000USD MicrosoftIdentity 2018-07-17 2019-10-23 Ongoing VulnerabilityreportsonIdentityservices,includingMicrosoftAccount,AzureActiveDirectory,orselectOpenIDstandards. Upto$100,000USD Xbox 2020-01-30 2020-01-30 Ongoing VulnerabilityreportsontheXboxLivenetwork and services Upto$20,000USD M365 2014-09-23 2019-08-05 Ongoing VulnerabilityreportsonapplicableMicrosoftcloudservices,includingOffice365 Upto$20,000USD MicrosoftAzureDevOpsServices 2019-01-17 2019-01-17 Ongoing VulnerabilityreportsonapplicableMicrosoftAzureDevOpsServices Upto$20,000USD MicrosoftDynamics365andPowerPlatform 2019-07-17 2022-04-14 Ongoing VulnerabilityreportsonapplicableMicrosoftDynamics365 andPowerPlatformapplications Upto$20,000USD Microsoft.NET 2016-09-01 2020-11-20 Ongoing Vulnerabilityreportson.NETCoreandASP.NETCoreRTMandfuturebuilds(seelinkforprogramdetails) Upto$15,000USD ProgramName StartDate LastUpdated EndDate EligibleEntries BountyRange MicrosoftHyper-V 2017-05-31 2020-04-13 Ongoing Criticalremotecodeexecution,informationdisclosureanddenialofservicesvulnerabilitiesinHyper-V Upto$250,000USD MicrosoftWindowsInsiderPreview 2017-07-26 2020-08-27 Ongoing Criticalandimportantvulnerabilitiesin WindowsInsiderPreview Upto$100,000USD MicrosoftApplications andOn-PremisesServers 2021-03-24 2022-04-05 Ongoing CriticalandimportantvulnerabilitiesinMicrosoftApplicationsandOn-PremisesServers Upto$30,000USD WindowsDefenderApplicationGuard 2017-07-26 2017-07-26 Ongoing Criticalvulnerabilitiesin WindowsDefenderApplicationGuard Upto$30,000USD MicrosoftEdge(Chromium-based) 2019-08-20 2021-10-21 Ongoing Critical,important,andmoderatevulnerabilitiesinMicrosoftEdge(Chromium-based)Dev,Beta,andStable channels Upto$30,000USD OfficeInsider 2017-03-15 2018-12-07 Ongoing Vulnerabilitieson OfficeInsider Upto$15,000USD ElectionGuard 2019-10-18 2021-03-31 Ongoing VulnerabilitiesinElectionGuard Upto$15,000USD ProgramName StartDate LastUpdated EndDate EligibleEntries BountyRange MitigationBypassandBountyforDefense 2013-06-26 2018-10-02 Ongoing NovelexploitationtechniquesagainstprotectionsbuiltintothelatestversionoftheWindowsoperatingsystem.Additionally,defensiveideasthataccompanyaMitigationBypasssubmission. Upto$100,000USD(plusuptoanadditional$100,000) Grant:MicrosoftIdentity 2020-01-09 2020-04-09 Ongoing This projectgrant awardsupto$75,000USD forapprovedresearchproposalsthatimprovethesecurityoftheMicrosoftIdentitysolutionsinnewwaysforbothConsumers(MicrosoftAccount)andEnterprise(AzureActiveDirectory). Upto$75,000USD SIKECryptographicChallenge 2021-06-09 2021-06-09 Ongoing Thischallengeawardsupto$50,000USDforsolutionsthatbreaktheSIKEalgorithmfortwosetsoftoyparameters. Upto$50,000USD Wehavepulledtogetheradditionalresourcestohelpyouunderstandourbountyprogramofferingsandevenhelpyougetstartedonthepathortohigherpayouts.Wetrulyviewthisasacollaborativepartnershipwiththesecuritycommunity.Yoursuccessinthisprogramhelpsfurtherourcustomer’ssecurityandtheecosystem. FrequentlyAskedQuestions WhattoExpectWhenReportingVulnerabilitiestoMicrosoft ExampleofHighQualityReports ResearcherRecognitionProgram MicrosoftBountyLegalSafeHarbor WindowsSecurityServicingCriteria DirectoryofAzureServices MicrosoftDocumentationforendusers,developers,andITprofessionals MicrosoftSecurityResearch&DefenseBlog HackerOne’sHacker101training BugcrowdUniversity SomesubmissiontypesaregenerallynoteligibleforMicrosoftbountyawards.Pleaserefertoourbountyprogramsforadditionalinformationoneligiblesubmission,vulnerability,orattackmethods.   Tooloutput Socialengineering