Secure research starts with responsible testing.
Microsoft Applications and On-Premises Servers Bounty Program
Partner with Microsoft to strengthen our products and services by identifying and reporting security vulnerabilities that could impact our customers.
IMPORTANT: The Microsoft Bounty Program is subject to these terms and those outlined in the Microsoft Bounty Terms and Conditions, Microsoft Bounty Legal Safe Harbor, Rules of Engagement, Coordinated Vulnerability Disclosure (CVD), Bounty Program Guidelines, and the Microsoft Bounty Program page.
PROGRAM DESCRIPTION
Microsoft 365 and Microsoft Office Servers are your productivity solutions across work and life, designed to help you achieve more with innovative Office apps, intelligent cloud services, and world-class security. The Microsoft Applications and On-Premises Servers Bounty Program invites to identify vulnerabilities in specific Microsoft applications and on-premises servers and share them with our team. Qualified submissions are eligible for bounty awards from $500 to $30,000 USD. This includes third-party and open-source components included in the service. Please note that qualifying reports must demonstrate a qualifying security impact on the specified service.
ELIGIBLE SUBMISSIONS
The goal of the Microsoft Bug Bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers.
In addition to the eligibility requirements listed on the Bounty Program Guidelines page, vulnerability submissions must meet the following criteria to be eligible for bounty awards:
- Such vulnerability must be of Critical or Important severity.
- Tested and reproducible on the latest version of the application.
- Tested and reproducible on a fully patched, supported OS including Windows, macOS, Linux, iOS, or Android (where applicable).
- More information on the supported OS versions for Teams can be found here.
- Using component with known vulnerabilities
- Requires full proof of concept (PoC) of exploitability. For example, simply identifying an out-of-date library would not qualify for an award.
We request researchers include the following information to help us quickly assess their submission:
- Submit through the MSRC Researcher Portal.
- Indicate in the vulnerability submission which high impact scenario (if any) your report qualifies for.
Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.
SCOPE
Vulnerabilities submitted in the following Product(s) are eligible under this bounty program:
- Microsoft Teams desktop client
- Microsoft Teams Android and iOS mobile applications
- Exchange on-premises
- SharePoint on-premises
- Skype for Business on-premises
- SQL Servers on-premises (limited to server-side vulnerabilities in SQL on-premises engines online. Vulnerabilities in drivers or client side are out of scope)
GETTING STARTED
Teams
Please create a test account and test tenants for security testing and probing.
- Microsoft Teams desktop client:
- Microsoft Teams mobile applications:
Exchange On-Premises
Please create a test account and test tenants for security testing and probing.
Overview of Exchange:
Get the Latest Server and Update bites from:
- Build Numbers & Release Dates
- Use the Latest Cumulative Update (CU) with the most recent Security Update (SU)
Installation:
- Always run updates from an Admin Command Prompt
- Preferred Architecture
- Min HW Requirements
- Exchange Prerequisites
- Run SetupAssist to check readiness
After Installation:
- Continue to Upgrade to the Latest Cumulative Update
- Refer to the Security Update Guide to find all recently released security updates
- Run the HealthChecker to scan and inventory servers
Installation Issues:
- Refer to Repair Failed Installations of Exchange Cumulative and Security Updates for troubleshooting failed updates
You can find additional resources and information to help you get started on Exchange from the following sites:
- The Exchange Team Blog
- Active Directory Schema Changes
- Active Directory Object Versions
- Exchange Content Updates
- Exchange Server Supportability Matrix
- Microsoft Exchange Server Support Scripts
SharePoint On-Premises
Skype for Business On-Premises
BOUNTY AWARDS
Bounty awards range from $500 up to $30,000 USD. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. Eligible submissions will be awarded the single highest qualifying award.
Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgement if their submission leads to a vulnerability fix; they may also earn points in our Researcher Recognition Program to receive swag and secure a place on the Microsoft Most Valuable Researcher list.
If a reported vulnerability does not qualify for a bounty award under the High-Impact Scenarios, it may be eligible for a bounty award under General Awards.
Teams Desktop: High-Impact Scenario Awards
| Scenario | Maximum Award |
|---|---|
| Remote code execution (native code in the context of the current user) with no user interaction | $30,000 |
| Ability to obtain authentication credentials1 for other users* (note: does not include phishing) | $15,000 |
| XSS or other (remote) code injection resulting in the ability to execute arbitrary scripts in the context of teams.microsoft.com or teams.live.com with no user interaction | $10,000 |
| Elevation of privilege2 which traverses an operating system user boundary | $10,000 |
| XSS or other (remote) code injection resulting in the ability to execute arbitrary scripts in the context of teams.microsoft.com or teams.live.com with minimal3 user interaction | $6,000 |
Testing for vulnerabilities should only be performed on tenants in subscriptions/accounts owned by the program participant.
1Authentication credentials includes, without limitation, authentication tokens.
2This includes, without limitation, elevation of privilege in the macOS updater.
3Minimal user interaction includes, without limitation, the in-app native experience such as previewing a document or expanding a message.
Teams Mobile: High-Impact Scenario Awards
| Scenario | Maximum Award |
|---|---|
| Remote code execution (within application sandbox) with no user interaction | $30,000 |
| Ability to obtain authentication credentials1 for other users* (note: does not include phishing) | $15,000 |
Testing for vulnerabilities should only be performed on tenants in subscriptions/accounts owned by the program participant.
1Authentication credentials includes, without limitation, authentication tokens.
Exchange On-Premises and SharePoint On-Premises: High-Impact Scenario Awards
| Scenario | Bonus |
|---|---|
| EXCHANGE ONLY: Server-Side Request Forgery allows an attacker to make server-side HTTP requests to arbitrary URLs | 20% |
| SHAREPOINT ONLY: Authenticated Server-Side Request Forgery allows an attacker to make authenticated server-side HTTP requests to arbitrary URL | 20% |
| Insecure deserialization of user-controllable data, leading to remote code execution on server | 30% |
| Arbitrary file write of user-controlled data on user-controlled location on the server | 20% |
| Authentication bypass allows for unauthenticated exploitation which results in mass exploitation of vulnerabilities | 20% |
| Vulnerabilities within Exchange Emergency Mitigation Service (EEMS) | 15% |
*Testing for vulnerabilities should only be performed on tenants in subscriptions/accounts owned by the program participant.
General Awards
| Severity | |||||
|---|---|---|---|---|---|
| Security Impact | Report Quality | Critical | Important | Moderate | Low |
| Remote Code Execution | High Medium Low | $20,000 $15,000 $10,000 | $15,000 $10,000 $5,000 | $0 | $0 |
| Elevation of Privilege | High Medium Low | $8,000 $4,000 $3,000 | $5,000 $2,000 $1,000 | $0 | $0 |
| Information Disclosure | High Medium Low | $8,000 $4,000 $3,000 | $5,000 $2,000 $1,000 | $0 | $0 |
| Spoofing | High Medium Low | N/A | $3,000 $1,200 $500 | $0 | $0 |
| Tampering | High Medium Low | N/A | $3,000 $1,200 $500 | $0 | $0 |
| Denial of Service | High/Low | Out of Scope | |||
Sample high- and low-quality reports are available here.
OUT OF SCOPE SUBMISSIONS AND VULNERABILITIES
Microsoft is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty award.
If your submission is evaluated as out-of-scope for this individual bounty program, it may still qualify for an award under the Standard Award Policy.
Here are some of the common low-severity or out- of- scope issues that typically do not earn bounty awards:
- Publicly disclosed vulnerabilities which have already been reported to Microsoft or are already known to the wider security community
- Vulnerability patterns or categories for which Microsoft is actively investigating broad mitigations
- Vulnerabilities that rely on default security settings being downgraded or the system to use uncommon configuration
- Out-of-Scope vulnerability types, including:
- Server-side information disclosure such as IPs, server names and most stack traces
- Low impact CSRF bugs (such as logoff)
- Denial of Service issues
- Sub-Domain Takeovers
- Cookie replay vulnerabilities
- URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
- ”Cross Site Scripting” bugs in SharePoint that require “Designer” or higher privileges in the target’s tenant
- Vulnerabilities based on user configuration or action, for example:
- Vulnerabilities that rely on default security settings being downgraded or the system to use uncommon configuration
- Vulnerabilities requiring extensive or unlikely user actions
- Vulnerabilities in user-created content or applications.
- For example, in a *.sharepoint.com domain, if a tenant has publicly exposed their own html page with any kind of vulnerability (i.e., DOM-based XSS) this bug is not eligible for bounty, and will not be accepted as a vulnerability
- Security misconfiguration of a service by a user, such as the enabling of HTTP access on a storage account to allow for man-in-the-middle (MiTM) attacks
- Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
- Vulnerabilities used to enumerate or confirm the existence of users or tenants
- Vulnerabilities on mobile applications that are modified after downloading from the app store
- Vulnerabilities in the web application that only affect unsupported browsers and plugins
- Vulnerabilities requiring bypassing SafeLinks, a protection feature within Outlook
- Vulnerabilities for SQL clients, drivers, or components not shipped by default.
- Vulnerabilities based on third parties that do not demonstrate a qualifying security impact on the specified service.
- Training, documentation, samples, and community forum sites related to Microsoft Applications or On-Premises Server products and services are out of scope for bounty awards.
Microsoft reserves the right to reject any submission that we determine, at our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty.
ADDITIONAL INFORMATION
For additional information, please see our FAQ.
REVISION HISTORY
- March 24, 2021: Program launched.
- July 19, 2021: Added Teams mobile applications as in scope product.
- April 5, 2022: Added Exchange on-premises, SharePoint on-premises, and Skype for Business on-premises to bounty scope and added High Impact Scenarios for Exchange on-premises and SharePoint on-premises.
- May 13, 2025: Updated Research Rules of Engagement section.
- December 11, 2025: Added SQL servers to scope with out of scope exclusions. Updated hyperlinks and standardized language.