PROGRAM DESCRIPTION

The Microsoft Office Insider on Windows Desktop Bounty Program invites individuals across the globe to submit security vulnerabilities found in Microsoft Office Insider, Current Chanel (Preview) on the latest, fully patched version of Windows. Office Insider preview updates are delivered to customers in different rings. For the bounty program, we request you submit bugs on the Office Insider Preview, Current Channel (Preview). Qualified submissions are eligible for bounty awards from $600 to $15,000 USD.

This bounty program is subject to these terms and those outlined in the Microsoft Bounty Terms and Conditions and our bounty Safe Harbor Policy.

ELIGIBLE SUBMISSIONS

The goal of the Office Insider Preview Bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our customers.

Vulnerability submissions must meet the following criteria to be eligible for bounty awards:

  • Identify an original and previously unreported vulnerability that is within scope and reproducible in our latest Office Insider Current Channel (Preview) build on a fully patched Windows 11 machine.
  • Vulnerabilities must be Critical or Important severity and reproducible on the latest, fully patched version of the product or service.
  • Include clear, concise, and reproducible steps, either in writing or in video format.
  • Provide our engineers the information necessary to quickly reproduce, understand, and fix the issue.  

We request researchers include the following information to help us quickly assess their submission

  • Submit through the MSRC Researcher Portal
  • Indicate in the vulnerability submission which high impact scenario (if any) your report qualifies for
  • Describe the attack vector for the vulnerability

Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.

Each submission must include a proof of concept.

Scope:

  • Latest Office Insider, Current Channel (Preview) on a fully patched Windows 11 machine
  • Latest Microsoft Defender Application Guard build of Office Insider Preview on a fully patched Windows 11 machine.

BOUNTY AWARDS

Bounty awards range from $600 up to $15,000. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission.

Researchers who provide submissions that do not qualify for bounty awards under the scenarios below may still be eligible for public acknowledgment if their submission leads to a vulnerability fix, and points in our Researcher Recognition Program to earn swag and a place on the Microsoft Most Valuable Researcher list.  

 

Office Attack Scenarios
Vulnerability Impact
Report Quality
Award*
Elevation of privilege via Office Protected View sandbox escape (excludes vulnerabilities in components and libraries not installed by Office or AppContainer sandbox, that are applicable to any application using them)
High
$15,000
Low
$9,000
Macro execution by bypassing security policies to block Office macros in Word, Excel, and PowerPoint.
High
$15,000
Low
$9,000
Code execution by bypassing Outlook’s automatic attachment block policies for a predefined set of extensions, listed below, that are by default blocked by Outlook.
High
$9,000
Low
$6,000
Microsoft Defender Application Guard for Office Attack Scenarios

Vulnerability Impact

Report Quality

Award*

Elevation of privilege via Microsoft Defender Application Guard for Office container escape

High

Low

$15,000

$9,000

*Higher payouts are possible, at Microsoft’s sole discretion, based on entry quality and complexity

 

GETTING STARTED

Elevation of privilege via Office Protected View sandbox escape

To help keep users safe, Office uses Protected View to open untrusted documents. We are looking for researchers to send us information on Office based techniques to escape the sandbox and other privilege escalations.

Elevation of privilege via Microsoft Defender Application Guard for Office container escape:

To help keep users safe, Office uses MDAG to open untrusted documents. We are looking for researchers to send us information on Office based techniques to escape the container and other privilege escalations.

Bypass of default security policy to block macro execution

By default, the macro security policies block execution of macros without user interaction. In this bounty program, we are encouraging researchers to send us information about vulnerabilities that would allow automatic macro execution in Microsoft Word, Excel and PowerPoint without additional user interaction in the default configuration and without trusting the document.

Bypassing the attachment block list in Outlook

Several file extensions are currently blocked as attachments in Outlook. We’re looking for techniques that will enable bypassing the existing block policies for the list of extensions detailed below.
 

The most current list of blocked extensions is:

 

ade;adp;app;asp;bas;bat;cer;chm;cmd;cnt;com;cpl;crt;csh;der;diagcab;exe;

fxp;gadget;grp;hlp;hpj;hta;inf;ins;isp;its;jar;jnlp;js;jse;ksh;lnk;mad;maf;mag;

mam;maq;mar;mas;mat;mau;mav;maw;mcf;mda;mdb;mde;mdt;mdw;mdz;

msc;msh;msh1;msh2;msh1xml;msh2xml;mshxml;msi;msp;mst;ops;osd;

pcd;pif;pl;plg;prf;prg;ps1;ps2;ps1xml;ps2xml;psc1;psc2;pst;reg;scf;scr;sct;

shb;shs;tmp;url;vb;vbe;vbp;vbs;vsmacros;vsw;ws;wsc;wsf;wsh;xbap;xll;xnk
 

For more information on blocked attachments in Outlook, please check here.

Note: This will NOT cover cases where a file extension not currently blocked as an attachment can lead to RCE. For example, we don’t block some executable attachment types installed by third party software.

 

OUT OF SCOPE SUBMISSIONS AND VULNERABILITIES

The aim of the bug bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our users and our users’ data. While we encourage any submissions that describe security vulnerabilities in our browsers, the following are examples of vulnerabilities that will not earn a bounty reward under this program:

  • Office Insider Preview builds older than the current Office Insider, Current Channel (Preview)
  • Office Insider Preview builds on older operating systems
  • Mac Office
  • Office applications for iOS and Android
  • Vulnerabilities in:
    • user-generated content
    • requiring extensive or unlikely user actions found by disabling existing security features
    • components not installed by Office
    • third party  components that might be installed on the system that enable the vulnerability
    • escaping Protected View or Microsoft Defender Application Guard where Protected View or Microsoft Application Guard is explicitly not activated in Office code or enabled by default for the reported scenario.
    • Windows Implementation of Application container

Any other category of vulnerability that Microsoft determines to be ineligible, in its sole discretion.

We reserve the right to reject any submission that we determine, in our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty.

RESEARCH RULES OF ENGAGEMENT

The Office Insider Bounty program’s scope is limited to technical vulnerabilities in Office-related products and services as outlined in the scope of this page. If you discover customer data while conducting your research, or are unclear if it is safe to proceed, please stop and contact us at bounty@microsoft.com. The following are not permitted:

  • Gaining access to any data that is not wholly your own. 
  • Moving beyond “proof of concept” repro steps for server-side execution issues
  • Any kind of Denial of Service testing.
  • Performing automated testing of services that generates significant amounts of traffic. 
  • Attempting phishing or other social engineering attacks against others, including our employees. The scope of this program is limited to technical vulnerabilities in the specified Microsoft Online Services. 
  • Using our services in a way that violates the applicable terms for that service. 

Even with these prohibitions, Microsoft reserves the right to respond to any actions on its networks that appear to be malicious. 

ADDITIONAL INFORMATION

For additional information please see our FAQ.

  • If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission.
  • If a duplicate report provides us new information that was previously unknown to Microsoft, we may award a differential to the duplicate submission.
  • If a submission is potentially eligible for multiple bounty programs, you will receive the single highest payout award from a single bounty program
  • Microsoft reserves the right to reject any submission at our sole discretion that we determine does not meet these criteria.

Thank you for participating in the Microsoft Bug Bounty Program!

 

REVISION HISTORY

  • December 7, 2018: Updated duplicate report policy and added revision history.
  • August 29, 2022: Added MDAG Scope and Attack Scenario.