Microsoft adds on-premises Exchange, SharePoint and Skype to Bug Bounty program

Microsoft announced this week that on-premises versions of Exchange, SharePoint and Skype for Business have been added to its Bounty program for on-premises applications and servers.

The tech giant is offering up to $26,000 in rewards for eligible reports detailing high-impact security vulnerabilities in these products.

The expanded bug bounty program was announced alongside steep rewards for scenarios that could have the biggest impact on customer safety, the company said.

Now, for issued server-side request forgery (SSRF) that could allow attackers to make server-side HTTP requests to arbitrary URLs on Exchange, Microsoft is offering 20% ​​higher rewards. A similar multiplier was announced for SSRF authenticated bugs on SharePoint.

[ READ: Microsoft Adds Power Platform to Bug Bounty Program ]

Additionally, Microsoft announcement A 30% increase in rewards for insecure deserialization of user-controllable data issues that could lead to remote code execution on the server.

For arbitrary writing of user-controlled data files to a user-controlled location on the server, and for authentication bypass bugs that result in massive unauthenticated exploitation of security vulnerabilities, Microsoft offers bug bounties that are 20% higher.

A 15% increase in bug bounty payments has been announced for security issues within the Exchange Emergency Mitigation Service (EEMS).

Further details of the Bug Bounty Program can be found at Microsoft’s On-Premises Servers and Applications Bounty Program. Web page.

Related: Microsoft paid $13.6 million in bug bounties last year

Related: Microsoft offers up to $30,000 for Teams desktop client vulnerabilities

Related: Microsoft Adds Teams Mobile Apps to Bug Bounty Program

Ionut Argire is an international correspondent for SecurityWeek.

Previous columns by Ionut Arghire:
Key words:

Comments are closed.