Microsoft Defender Bounty Program

PROGRAM DESCRIPTION

Defender is a Microsoft brand that includes a variety of products and services that are aimed at protecting the Microsoft customer experience. The Microsoft Defender Bounty Program invites researchers across the globe to identify vulnerabilities in Defender products and services and share them with our team. The Defender program will begin with a limited scope, focusing on Microsoft Defender for Endpoint APIs and will expand to include other products in the Defender brand over time. Qualified submissions are eligible for bounty rewards from $500 to $20,000 USD.

This bounty program is subject to these terms and those outlined in the  Microsoft Bounty Terms and Conditions and our bounty Safe Harbor policy.

ELIGIBLE SUBMISSIONS

The goal of the Defender Bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our customers.

Vulnerability submissions must meet the following criteria to be eligible for bounty awards: 

Identify a vulnerability in listed in-scope Defender products that was not previously reported to, or otherwise known by, Microsoft.
Such vulnerability must be Critical or Important severity and reproducible on the latest, fully patched version of the product or service.
Include clear, concise, and reproducible steps, either in writing or in video format.
Provide our engineers the information necessary to quickly reproduce, understand, and fix the issue.

We request researchers include the following information to help us quickly assess their submission:

Submit through the MSRC Researcher Portal.
Indicate in the vulnerability submission which high impact scenario (if any) your report qualifies for.
Describe the attack vector for the vulnerability.

Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.

IN-SCOPE SERVICES AND PRODUCTS

This bounty program currently covers a subset of the Microsoft Defender for Endpoint product. Specifically, the following services are in-scope:

Microsoft Defender for Endpoint Public APIs
- Overview of Management and APIs Documentation

Related Cloud Bounty Programs

Submissions identifying vulnerabilities in Azure, Azure DevOps, or Microsoft-identity-related online services will be considered under the M365 Bounty Program, Azure Bounty Program, Azure DevOps Bounty Program, Microsoft Dynamics 365 Bounty Program, or the Microsoft Identity Bounty Program. All submissions are reviewed for bounty eligibility, so don’t worry if you aren’t sure where your submission fits. We will route your report to the appropriate program.

GETTING STARTED

Here are some useful links for getting started. While this getting-started material is broad, please ensure that you’re focusing your research on only the public MDE APIs.

Public APIs Documentation
- Overview of management and APIs
- Supported Microsoft Defender for Endpoint APIs
Get started with a 3-month Trial tenant

BOUNTY AWARDS

Bounty awards range from $500 to $20,000 USD. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. Eligible submissions will be awarded the single highest qualifying award.

Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgment if their submission leads to a vulnerability fix, and points in our Researcher Recognition Program to earn swag and a place on the Microsoft Most Valuable Researcher list.

GENERAL AWARDS

Vulnerability Type	Report Quality	Severity
		Critical	Important	Moderate	Low
Remote Code Execution	High Medium Low	$20,000 $15,000 $10,000	$15,000 $10,000 $5,000	$0	$0
Elevation of Privilege	High Medium Low	$8,000 $4,000 $3,000	$5,000 $2,000 $1,000	$0	$0
Information Disclosure	High Medium Low	$8,000 $4,000 $3,000	$5,000 $2,000 $1,000	$0	$0
Spoofing	High Medium Low	N/A	$3,000 $1,200 $500	$0	$0
Tampering	High Medium Low	N/A	$3,000 $1,200 $500	$0	$0
Denial of Service	High/Low	Out of Scope

Vulnerability Type

Report Quality

Severity

Critical

Important

Moderate

Low

Remote Code Execution

High

Medium

Low

$20,000

$15,000

$10,000

$15,000

$10,000

$5,000

Elevation of Privilege

High

Medium

Low

$8,000

$4,000

$3,000

$5,000

$2,000

$1,000

Information Disclosure

High

Medium

Low

$8,000

$4,000

$3,000

$5,000

$2,000

$1,000

Spoofing

High

Medium

Low

N/A

$3,000

$1,200

$500

Tampering

High

Medium

Low

N/A

$3,000

$1,200

$500

Denial of Service

High/Low

Out of Scope

N/A: vulnerabilities resulting in the listed security impact do not qualify for this severity category. 

Sample high- and low-quality reports are available here. 

IN SCOPE VULNERABILITIES  

The following are examples of vulnerabilities that may lead to one or more of the above security impacts:  

Cross site scripting (XSS)  
Cross site request forgery (CSRF)  
Server side request forgery (SSRF)
Cross-tenant data tampering or access  
Insecure direct object references  
Insecure deserialization  
Injection vulnerabilities  
Server-side code execution  
Significant security misconfiguration (when not caused by user)  
Using components with known vulnerabilities 
- Requires full proof of concept (PoC) of exploitability. For example, simply identifying an out-of-date library would not qualify for an award.

RESEARCH RULES OF ENGAGEMENT 

The Defender Bounty program’s scope is limited to technical vulnerabilities in Defender-related products and services. If you discover customer data while conducting your research, or are unclear if it is safe to proceed, please stop and contact us at bounty@microsoft.com. The following are not permitted: 

Gaining access to any data that is not wholly your own.  
- For example, you are allowed and encouraged to create a small number of test accounts and/or trial tenants for the purpose of demonstrating and proving cross-account or cross-tenant data access. However, it is prohibited to use one of these accounts to access data that is not your own.  
Moving beyond “proof of concept” repro steps for server-side execution issues 
- For example, proving that you have sysadmin access with SQLi is acceptable, running xp_cmdshell is not).  
Any kind of Denial of Service testing. 
Performing automated testing of services that generate significant amounts of traffic.  
Attempting phishing or other social engineering attacks against others, including our employees. The scope of this program is limited to technical vulnerabilities in the specified Microsoft Online Services.  
Using our services in a way that violates the terms for that service.

Even with these prohibitions, Microsoft reserves the right to respond to any actions on its networks that appear to be malicious.  

OUT-OF-SCOPE SUBMISSIONS AND VULNERABILITIES 

Microsoft is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty reward. Here are some of the common low-severity or out of scope issues that typically do not earn bounty rewards:  

Publicly disclosed vulnerabilities that have already been reported to Microsoft or are already known to the wider security community
Vulnerability patterns or categories for which Microsoft is actively investigating broad mitigations. 
Out-of-scope vulnerability types, including:
- Vulnerabilities requiring physical access to hardware components
- URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
- Cookie replay vulnerabilities 
- Sub-Domain Takeovers 
- Denial of Service issues
- Low-impact CSRF bugs (such as logoff) 
- Server-side information disclosure such as IPs, server names, and most stack traces 
Vulnerabilities that are addressed via product documentation updates, without a change to product code or function.
Vulnerabilities based on user configuration or action, for example: 
- Vulnerabilities requiring extensive or unlikely user actions 
- Vulnerabilities in user-created content or applications. 
- Security misconfiguration of a service by a user, such as the enabling of HTTP access on a storage account to allow for man-in-the-middle (MiTM) attacks 
- Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) 
- Vulnerabilities used to enumerate or confirm the existence of users or tenants 
Vulnerabilities based on third parties, for example: 
- Vulnerabilities in third-party software provided by Azure such as gallery images and ISV applications 
- Vulnerabilities in platform technologies that are not unique to the online services in question (for example, Apache or IIS vulnerabilities) 
- Vulnerabilities in a web application that only affect unsupported browsers and plugins
Any vulnerabilities in the Defender portal

We reserve the right to reject any submission that we determine, in our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty. 

ADDITIONAL INFORMATION

For additional information, please see our FAQ. 

If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission.

If a duplicate report provides us new information that was previously unknown to Microsoft, we may award a differential to the duplicate submission. 

If a submission is potentially eligible for multiple bounty programs, you will receive the single highest payout award from a single bounty program.

Microsoft reserves the right to reject any submission at our sole discretion that we determine does not meet these criteria.

REVISION HISTORY 

November 21, 2023: Program launched.  