PROGRAM DESCRIPTION

We are excited to launch a security vulnerability bounty program for Microsoft Office Insider on Windows Desktop. Individuals across the globe can receive monetary rewards for submitting security vulnerabilities found in Microsoft Office Insider slow build shipping on the latest, fully patched version of Windows. Office Insider preview updates are delivered to customers in different rings. For the bounty program, we request you submit bugs on the Office Insider Preview slow ring. Check out https://products.office.com/en-us/office-insider and https://products.office.com/en-us/try for more information.

The Microsoft Office Insider Bounty Program is subject to the legal terms outlined here.

WHAT CONSTITUTES AN ELIGIBLE SUBMISSION?

The Microsoft Bug Bounty program is looking to reward high quality submissions that reflect the research that you put into your discovery. The goal of your report is to share your knowledge and expertise with Microsoft developers and engineers so that they can quickly and efficiently understand and reproduce your finding. This way, they have the background and context to fix the vulnerability.

Vulnerability submissions provided to Microsoft must meet the following criteria to be eligible for payment:
  • Identify an original and previously unreported vulnerability that is within scope and reproduces in our latest Office Insider slow ring build on a fully patched Windows 10 machine.
  • Include a description of the issue and concise reproducibility steps that are easily understood. (This allows submissions to be processed as quickly as possible and supports the highest payment for the type of vulnerability being reported.)
  • Include the impact of the vulnerability
  • Include an attack vector if not obvious

Scope:

Latest slow ring build of Office Insider Preview on a fully patched Windows 10 machine

Out of Scope:

  • Office Insider Preview builds older than the current slow ring
  • Office Insider Preview builds on older operating systems
  • Mac Office
  • Office applications for iOS and Android
Qualified submissions may be eligible for payment from a minimum of $500 USD to $15,000 USD, and bounties will be paid out at Microsoft’s sole discretion based on the quality and complexity of the vulnerability. Certain submissions may be eligible for bounties of more than $15,000.

HOW ARE PAYMENT AMOUNTS SET?

If we receive multiple eligible bug reports for the same issue from different external parties, the bounty may be granted to the first eligible submission we receive based on the criteria mentioned above.

If a duplicate report provides us new information that adds value to the vulnerability investigation, we may award a differential to the duplicate submission.

The first eligible external report received on an internally known issue under active development will receive a maximum of $1,500 USD

The payment range for eligible submissions will be based upon the following:
Report Quality
Potential Payout range (USD) *
Elevation of privilege via Office Protected View sandbox escape (excludes vulnerabilities in components and libraries not installed by Office or AppContainer sandbox, that are applicable to any application using them)
No
Required
High
Up to $15,000
No
Required
Low
Up to $9,000
Macro execution by bypassing security policies to block Office macros in Word, Excel, and PowerPoint.
No
Required
High
Up to $15,000
No
Required
Low
Up to $9,000
Code execution by bypassing Outlook’s automatic attachment block policies for a predefined set of extensions, listed below, that are by default blocked by Outlook.
No
Required
High
Up to $9,000
No
Required
Low
Up to $6,000
*Higher payouts are possible, at Microsoft’s sole discretion, based on entry quality and complexity

DEFINITIONS FOR ELIGIBLE SUBMISSIONS:

Elevation of privilege via Office Protected View sandbox escape
To help keep users safe, Office uses Protected View to open untrusted documents. We are looking for researchers to send us information on Office based techniques to escape the sandbox and other privilege escalations.

Bypass of default security policy to block macro execution
By default, the macro security policies block execution of macros without user interaction. In this bounty program, we are encouraging researchers to send us information about vulnerabilities that would allow automatic macro execution in Microsoft Word, Excel and PowerPoint without additional user interaction in the default configuration and without trusting the document.
Bypassing the attachment block list in Outlook
Several file extensions are currently blocked as attachments in Outlook. We’re looking for techniques that will enable bypassing the existing block policies for the list of extensions detailed below.

The most current list of blocked extensions is:
ade;adp;app;asp;bas;bat;cer;chm;cmd;cnt;com;cpl;crt;csh;der;diagcab;exe;
fxp;gadget;grp;hlp;hpj;hta;inf;ins;isp;its;jar;jnlp;js;jse;ksh;lnk;mad;maf;mag;
mam;maq;mar;mas;mat;mau;mav;maw;mcf;mda;mdb;mde;mdt;mdw;mdz;
msc;msh;msh1;msh2;msh1xml;msh2xml;mshxml;msi;msp;mst;ops;osd;
pcd;pif;pl;plg;prf;prg;ps1;ps2;ps1xml;ps2xml;psc1;psc2;pst;reg;scf;scr;sct;
shb;shs;tmp;url;vb;vbe;vbp;vbs;vsmacros;vsw;ws;wsc;wsf;wsh;xbap;xll;xnk

For more information on blocked attachments in Outlook, please check here.

Note: This will NOT cover cases where a file extension not currently blocked as an attachment can lead to RCE. For example, we don’t block some executable attachment types installed by third party software.

WHAT CONSTITUTES AN INELIGIBLE SUBMISSION?

The aim of the bug bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our users and our users’ data. While we encourage any submissions that describe security vulnerabilities in our browsers, the following are examples of vulnerabilities that will not earn a bounty reward under this program:
  • Vulnerabilities in anything earlier than the current Office Insider slow build on Windows Desktop
  • Vulnerabilities in user-generated content
  • Vulnerabilities requiring extensive or unlikely user actions
  • Vulnerabilities found by disabling existing security features
  • Vulnerabilities in components not installed by Office
  • Vulnerabilities in third party components that might be installed on the system that enable the vulnerability
  • Vulnerabilities about escaping Protected View where Protected View is explicitly not activated in Office code or enabled by default for the reported scenario.
  • Vulnerabilities in the Application container

Any other category of vulnerability that Microsoft determines to be ineligible, in its sole discretion.

We reserve the right to reject any submission that we determine, in our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty.

LEGAL NOTICE

To get additional information on the Microsoft legal guidelines please go here.

Thank you for participating in the Microsoft Bug Bounty Program!