Eligible vulnerabilities are worth at least $500. Microsoft launched a new bug bounty program, this time for finding vulnerabilities in its online services. Microsoft said it will pay a minimum of $500 for qualified bug bounty submissions.Microsoft Online Services Bug Bounty covers the following domains:portal.office.com*.outlook.com (Office 365 for business email services applications, excluding any consumer “outlook.com” services)outlook.office365.comlogin.microsoftonline.com*.sharepoint.com*.lync.com*.officeapps.live.comwww.yammer.comapi.yammer.comadminwebservice.microsoftonline.comprovisioningapi.microsoftonline.comgraph.windows.netBefore testing, however, Microsoft said to check “WHOIS” records for all resolved IPs to ensure the domain is owned by Microsoft. Third parties that host for Microsoft, under subdomains owned by Microsoft, are not part of the online bug bounty program. Office 365 separately announced its participation in the program because it takes “security vulnerabilities very seriously;” customers asked Microsoft for it; it’s the “right thing to do.”In order for web application vulnerability submissions to be processed as quickly as possible and result in the highest payment possible, Microsoft wants submissions to include concise reproduction steps that can be easily understood. Eligible submissions include the following vulnerabilities types: “Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Unauthorized cross-tenant data tampering or access (for multi-tenant services), Insecure direct object references, Injection Flaws, Authentication Flaws, Server-side Code Execution, Privilege Escalation and Significant Security Misconfiguration.” Even if you find vulnerabilities in Microsoft’s online services, no bounty will be awarded for any of the following “categories of vulnerabilities even if otherwise eligible for a bounty.”Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)Server-side information disclosure such as IPs, server names and most stack tracesBugs in the web application that only affect unsupported browsers and pluginsBugs used to enumerate or confirm the existence of users or tenantsBugs requiring unlikely user actionsURL Redirects (unless combined with another flaw to produce a more severe vulnerability)Vulnerabilities in platform technologies that are not unique to the online services in question (Apache or IIS vulnerabilities, for example.)”Cross Site Scripting” bugs in SharePoint that require “Designer” or higher privileges in the target’s tenant.Low impact CSRF bugs (such as logoff)Denial of Service issuesCookie replay vulnerabilitiesHere are the rules for testing. Microsoft said, “You must create test accounts, and test tenants, for security testing and probing. For Office 365 services, you can set up your test account here. In all cases, where possible, include the string ‘MSOBB’ in your account name and/or tenant name in order to identify a tenant as being in use for the bug bounty program.” The following are not allowed to be tested on Microsoft online services:Any kind of Denial of Service testing.Performing automated testing of services that generates significant amounts of traffic.Gaining access to any data that is not wholly your own. For example, you are allowed to and encouraged to create a small number of test accounts and/or trial tenants for the purpose of demonstrating and proving cross-account or cross-tenant data access. However, it is prohibited to use one of these trial accounts to access the data of a legitimate customer or account.Moving beyond “proof of concept” repro steps for server-side execution issues (i.e. proving that you have sysadmin access with sqli is acceptable, running xp_cmdshell is not).Attempting phishing or other social engineering attacks against our employees. The scope of this program is limited to technical vulnerabilities in the above specified Microsoft Online Services.Even with these prohibitions, Microsoft reserves the right to respond to any actions on its networks that appear to be malicious.Microsoft said to follow bug submission guidelines and send the completed submission to secure@microsoft.com.Happy hacking hunting! Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe