PROGRAM DESCRIPTION

Dynamics 365 is suite of intelligent business applications designed to connect customers, products, people, and operations. We invite individuals or organizations to identify security vulnerabilities in targeted Dynamics 365 applications and share them with our team. Qualified submissions are eligible for bounty rewards of $500 to $20,000 USD.  

Bounties will be awarded at Microsoft’s discretion based on the severity and impact of the vulnerability and the quality of the submission, and subject to the Microsoft Bounty Terms and Conditions

IN-SCOPE SERVICES AND PRODUCTS 

Most vulnerabilities submitted against Dynamics 365 applications are eligible under this program.  

  • Microsoft Dynamics 365 online applications, including 
    • Dynamics 365 for Sales 
    • Dynamics 365 for Customer Service 
    • Dynamics 365 for Field Service 
    • Dynamics 365 for Talent 
    • Dynamics 365 for Finance and Operations 
    • Dynamics 365 for Retail 
    • Dynamics 365 for Project Service Automation 
    • Dynamics 365 for Marketing 
    • Dynamics 365 Remote Assist 
    • Dynamics 365 Layout 
    • Dynamics 365 AI for Sales 
    • Dynamics 365 AI for Customer Service 
    • Dynamics 365 AI for Market Insights
    • Dynamics 365 Business Central
    • Dynamics 365 General 
  • Microsoft Dynamics 365 on-premise products 
    • Microsoft Dynamics AX 
    • Microsoft Dynamics CRM 
    • Microsoft Dynamics GP 
    • Microsoft Dynamics NAV
    • Microsoft Dynamics SL 

Submissions identifying vulnerabilities in Office 365, Microsoft Account, Azure DevOps, and other online services will be considered under our service-specific or product-specific cloud bounty programs, including the Cloud Bounty Program, Microsoft Identity Bounty Program, or Azure DevOps Bounty Program.  All submissions are reviewed for bounty eligibility, so don’t worry if you aren’t sure where your submission fits. We will route your report to the appropriate program. 

WHAT CONSTITUTES AN ELIGIBLE SUBMISSION? 

The goal of the Microsoft Bug Bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our users. Vulnerability submissions must meet the following criteria to be eligible for bounty award: 

  • Identify a previously unreported vulnerability in one of the in-scope services or products. 
  • Include clear, concise, and reproducible, either in writing or in video format, to help our engineer quickly understand, reproduce, and fix the issue.  
    • This allows submissions to be processed as quickly as possible and supports higher bounty awards. 

GETTING STARTED 

HOW ARE AWARD AMOUNTS SET? 

Bounty awards range from $500 up to $20,000. Higher awards are possible, at Microsoft’s sole discretion, based on impact and severity of the vulnerability, and the quality of the submission. Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgment if their submission leads to a vulnerability fix. 

Security Impact

Report Quality

Severity

Critical

Important

Moderate

Low

Remote Code Execution

High

Medium

Low

$20,000

$15,000

$10,000

$15,000

$10,000

$5,000

$0

$0

Elevation of Privilege

High

Medium

Low

$8,000

$4,000

$3,000

$5,000

$2,000

$1,000

$0

$0

Information Disclosure

High

Medium

Low

$8,000

$4,000

$3,000

$5,000

$2,000

$1,000

$0

$0

Spoofing

High

Medium

Low

N/A

$3,000

$1,200

$500

$0

$0

Tampering

High

Medium

Low

N/A

$3,000

$1,200

$500

$0

$0

Denial of Service

High/Low

Out of Scope

N/A: vulnerabilities resulting in the listed security impact do not qualify for this severity category 

A high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write up or video containing any required background information, a description of the bug, and a proof of concept (PoC). Sample high- and low-quality reports are available here.  

We recognize some issues are extremely difficult to reproduce and understand and will take this into considered when assessing the quality of a submission. 

IN SCOPE VULNERABILITIES 

The following are examples of vulnerabilities that may lead to one or more of the above security impacts: 

  • Cross site scripting (XXS) 
  • Cross site request forgery (CSRF) 
  • Cross-tenant data tampering or access 
  • Insecure direct object references 
  • Insecure deserialization 
  • Injection vulnerabilities 
  • Server-side code execution 
  • Significant security misconfiguration (when not caused by user) 
  • Unauthorized cross-tenant data tampering or access 

OUT OF SCOPE VULNERABILITIES  

Microsoft is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty rewards. Here are some of the common low-severity or out of scope issues that typically do not earn bounty rewards: 

 

  • Publicly-disclosed vulnerabilities which have already been reported to Microsoft, or are already known by the wider security community 
  • Vulnerabilities in any version other than latest, fully patched version at time of submission 
  • Vulnerabilities based on user configuration or action, for example: 
    • Vulnerabilities based on user-generated content or user-created apps 
    • Vulnerabilities requiring extensive or unlikely user actions 
    • Security misconfiguration of a service by a user or administrator 
  • Vulnerabilities based on third parties, for example: 
    • Vulnerabilities in third-party software 
    • Vulnerabilities in third-party extensions 
    • Vulnerabilities in platform technologies that are not unique Dynamics 365 (for example IIS, OpenSSL etc.) 
  • Out of scope vulnerability types, including: 
    • Server-side information disclosure 
    • Denial of service (DoS) attacks  
    • Cookie replay vulnerabilities 
  • Vulnerabilities in other Microsoft Products 
    • Please see the full list of Bounty Programs for other bounty eligible Microsoft products and services.
  • Training, documentation, and community sites related to Dynamics 365 products are not in scope for bounty awards, including
    • experience.dynamics.com
    • community.dynamics.com

   

Microsoft may reject any submission that it determines (in its sole discretion) falls into any of these categories even if otherwise eligible for bounty.  

HOW DO I PROVIDE MY SUBMISSION? 

Send your complete submission to Microsoft using the MSRC submission portal and the bug submission guidelines. We request you follow the Coordinated Vulnerability Disclosure when reporting all vulnerabilities. We will exercise reasonable efforts to clarify indecipherable or incomplete submissions.     

 

Have questions? We’re always available at secure@microsoft.com.  

BOUNTY AWARDS 

Microsoft retains sole discretion in determining award amounts and which submissions eligible and in scope.  

  • There are no restrictions on the number of qualified submissions an individual submitter may provide or number of awards a submitter may receive.  
  • If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission.  
  • If a duplicate report provides us new information that was previously unknown to Microsoft, we may award a differential to the duplicate submission.   
  • If a submission is potentially eligible for multiple bounty programs, you will receive single highest payout award from a single bounty program  

BOUNTY TERMS AND CONDITIONS 

For additional information on Microsoft bounty program requirements and legal guidelines please see our Bounty Terms and our FAQ. 

REVISION HISTORY 

  • 17 July, 2019: Program launched.
  • 29 July, 2019: Documentation and training domains moved out of scope, including experience.dynamics.com and community.dynamics.com.