Microsoft launched a new bug bounty program, this time for finding vulnerabilities in its online services. Microsoft said it will pay a minimum of $500 for qualified bug bounty submissions.Microsoft Online Services Bug Bounty covers the following domains:portal.office.com*.outlook.com (Office 365 for business email services applications, excluding any consumer \u201coutlook.com\u201d services)outlook.office365.comlogin.microsoftonline.com*.sharepoint.com*.lync.com*.officeapps.live.comwww.yammer.comapi.yammer.comadminwebservice.microsoftonline.comprovisioningapi.microsoftonline.comgraph.windows.netBefore testing, however, Microsoft said to check \u201cWHOIS\u201d records for all resolved IPs to ensure the domain is owned by Microsoft. Third parties that host for Microsoft, under subdomains owned by Microsoft, are not part of the online bug bounty program. Office 365 separately announced its participation in the program because it takes \u201csecurity vulnerabilities very seriously;\u201d customers asked Microsoft for it; it\u2019s the \u201cright thing to do.\u201dIn order for web application vulnerability submissions to be processed as quickly as possible and result in the highest payment possible, Microsoft wants submissions to include concise reproduction steps that can be easily understood. Eligible submissions include the following vulnerabilities types: \u201cCross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Unauthorized cross-tenant data tampering or access (for multi-tenant services), Insecure direct object references, Injection Flaws, Authentication Flaws, Server-side Code Execution, Privilege Escalation and Significant Security Misconfiguration.\u201dEven if you find vulnerabilities in Microsoft\u2019s online services, no bounty will be awarded for any of the following \u201ccategories of vulnerabilities even if otherwise eligible for a bounty.\u201dMissing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as \u201chttponly\u201d)Server-side information disclosure such as IPs, server names and most stack tracesBugs in the web application that only affect unsupported browsers and pluginsBugs used to enumerate or confirm the existence of users or tenantsBugs requiring unlikely user actionsURL Redirects (unless combined with another flaw to produce a more severe vulnerability)Vulnerabilities in platform technologies that are not unique to the online services in question (Apache or IIS vulnerabilities, for example.)\u201dCross Site Scripting\u201d bugs in SharePoint that require \u201cDesigner\u201d or higher privileges in the target\u2019s tenant.Low impact CSRF bugs (such as logoff)Denial of Service issuesCookie replay vulnerabilitiesHere are the rules for testing. Microsoft said, "You must create test accounts, and test tenants, for security testing and probing. For Office 365 services, you can set up your test account here. In all cases, where possible, include the string \u2018MSOBB\u2019 in your account name and\/or tenant name in order to identify a tenant as being in use for the bug bounty program."The following are not allowed to be tested on Microsoft online services:Any kind of Denial of Service testing.Performing automated testing of services that generates significant amounts of traffic.Gaining access to any data that is not wholly your own. For example, you are allowed to and encouraged to create a small number of test accounts and\/or trial tenants for the purpose of demonstrating and proving cross-account or cross-tenant data access. However, it is prohibited to use one of these trial accounts to access the data of a legitimate customer or account.Moving beyond \u201cproof of concept\u201d repro steps for server-side execution issues (i.e. proving that you have sysadmin access with sqli is acceptable, running xp_cmdshell is not).Attempting phishing or other social engineering attacks against our employees. The scope of this program is limited to technical vulnerabilities in the above specified Microsoft Online Services.Even with these prohibitions, Microsoft reserves the right to respond to any actions on its networks that appear to be malicious.Microsoft said to follow bug submission guidelines and send the completed submission to firstname.lastname@example.org.Happy hacking hunting!