This is the Trace Id: 33e242bb887628ae1a96a6312544641e
Skip to main content Report Security Vulnerability Report Abuse Report Infringement Submission FAQs Reporting Vulnerability Security Update Guide Exploitability index Developer API documentation Frequently Asked Questions Technical Security Notifications Glossary Microsoft Bug Bounty Programs Microsoft Active Protections Program BlueHat Security Conference Researcher Recognition Program Windows Security Servicing Criteria Researcher Resource Center Mission Cyber Defense Operations Center Coordinated Vulnerability Disclosure Social Microsoft Security Response Center Security Research & Defense BlueHat Conference Blog Security Researcher Acknowledgments Online Services Researcher Acknowledgments AI Safety Acknowledgements Security Researcher Leaderboard

Expanding High Impact Scenario Awards for Microsoft Bug Bounty Programs

MSRC
/ By MSRC /

We are excited to announce the addition of scenario-based bounty awards to the Dynamics 365 and Power Platform Bounty Program and M365 Bounty Program. Through these new scenario-based bounty awards, we encourage researchers to focus their research on vulnerabilities that have the highest potential impact on customer privacy and security. Awards increase by up to 30% ($26,000 USD total) for eligible scenario submissions.

Dynamics 365 and Power Platform Bounty Program

Scenario Maximum Award
Cross-tenant information disclosure
$20,000

M365 Bounty Program

Eligible submissions may qualify for 15-30% bonuses on top of the general M365 bounty awards and will be awarded the single highest qualifying award.

Scenario Maximum Award
Remote code execution through untrusted input (CWE-94 “Improper Control of Generation of Code (‘Code Injection’)”)
+30%
Remote code execution through untrusted input (CWE-502 “Deserialization of Untrusted Data”)
+30%
Unauthorized Cross-tenant and cross-identity sensitive data leakage (CWE-200 “Exposure of Sensitive Information to an Unauthorized Actor”)
+20%
Unauthorized cross-identity sensitive data leakage (CWE-488 “Exposure of Data Element to Wrong Session”)
+20%
“Confused deputy” vulnerabilities that can be used in a practical attack that accesses resources in a way that bypasses authentication (CWE-918 “Server-Side Request Forgery (SSRF)”)
+15%

These new bounty awards are part of our continued efforts to partner with the security research community as part of Microsoft’s holistic approach to defending against security threats. If you have any questions about these new scenarios or any other security research incentive program, please email us at bounty@microsoft.com.

Lynn Miyashita and Madeline Eckert, MSRC

Surface Pro Surface Laptop Surface Laptop Studio 2 Copilot for organizations Copilot for personal use AI in Windows Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store support Returns Order tracking Certified Refurbished Microsoft Store Promise Flexible Payments Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education How to buy for your school Educator training and development Deals for students and parents AI for education
Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 Microsoft Power Platform Microsoft Teams Microsoft 365 Copilot Small Business Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Marketplace Rewards Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Diversity and inclusion Accessibility Sustainability
English (United States)
Your Privacy Choices Opt-Out Icon Your Privacy Choices
Consumer Health Privacy Sitemap Contact Microsoft Privacy Manage cookies Terms of use Trademarks Safety & eco Recycling About our ads