Microsoft 365 Insider Builds on Windows Bounty Program
The Microsoft 365 Insider on Windows Desktop Bounty Program invites security researchers across the globe to identify security vulnerabilities in Word, Excel, Outlook, OneNote and PowerPoint in the Microsoft 365 Insider Preview on Windows and share them with our team. Qualified submissions are eligible for bounty awards with a maximum award of $30,000 USD.
The goal of the Microsoft 365 Insider Preview Bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our customers.
Vulnerability submissions must meet the following criteria to be eligible for bounty awards:
- Identify a vulnerability that was not previously reported to, or otherwise known by, Microsoft.
- Such vulnerability must be Critical or Important severity.
- Each submission must include a proof of concept and clear, concise, and reproducible steps, either in writing or in video format.
- Provide our engineers with the information necessary to quickly reproduce, understand, and fix the issue.
- Find examples here.
- Each proof of concept must demonstrate the vulnerability against Word, Excel, Outlook, PowerPoint, OneNote on Current Channel (Preview) on a fully patched version of Windows 11.
We request researchers include the following information to help us quickly assess their submission
- Submit through the MSRC Researcher Portal
- Indicate in the vulnerability submission which high impact scenario (if any) your report qualifies for
- Describe the attack vector for the vulnerability
Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.
Bounty awards have a maximum award of $30,000 USD. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission.
Researchers who provide submissions that do not qualify for bounty awards under the scenarios below may still be eligible for public acknowledgment if their submission leads to a vulnerability fix, and points in our Researcher Recognition Program to earn swag and a place on the Microsoft Most Valuable Researcher list.
Microsoft 365: High-Impact Scenario Awards
Unauthenticated1 non-sandboxed code execution with no user interaction
1Unauthenticated attacks are only those attacks that require no credentials.
Remote Code Execution
Elevation of Privilege*
Security feature Bypass**
*Elevation of privilege such as
- Office Protected View sandbox escape (excludes vulnerabilities in components and libraries not installed by Office or AppContainer sandbox, that are applicable to any application using them)
- Elevation from current user to a higher privilege account
**Bypassing security policies that block certain functionality by default (for example default block of Office macros, default block of older file formats, default block of certain types of attachments in Word, Excel, PowerPoint, OneNote and Outlook. The office security baseline (Security baseline for Microsoft 365 Apps for enterprise - Deploy Office | Microsoft Learn) contains a list of security policies in scope
To get started, join the Microsoft 365 Insider program. For more information, see:
- Microsoft 365 Insider Blog
- Microsoft 365 Insider Handbook
- Microsoft 365 Insider FAQ
- Follow us @Msft365Insider
Example of Elevation of privilege via Protected View sandbox escape
To help keep users safe, Microsoft 365 uses Protected View to open untrusted documents. We are looking for M365-based techniques to escape the sandbox and other privilege escalations.
Examples for Bypass of default security policy category
Policies block macro execution by default
By default, the macro security policies block execution of macros without user interaction, or completely disable ability to enable macros for documents originating from the Internet. We are looking for vulnerabilities that would allow automatic macro execution in M365 apps included in the bounty scope without additional user interaction in the default configuration and without trusting the document or removing the mark of the Web.
Policy that blocks by default certain types of Outlook
Several file extensions are currently blocked by default as attachments in Outlook. We’re looking for techniques that will bypass the default block and allow those formats as email attachments (for example .exe files)
For more information on blocked attachments in Outlook, please check here.
OUT OF SCOPE SUBMISSIONS AND VULNERABILITIES
Microsoft is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty reward. Here are some of the common low-severity or out of scope issues that typically do not earn bounty rewards
- Publicly-disclosed vulnerabilities that have already been reported to Microsoft or are already known to the wider security community
- Any submission that does not demonstrate testing and reproduction on the latest Microsoft 365 Insider, Current Channel (Preview) on a fully patched version of Windows 11 at the time of submission. Older builds, online services, older operating systems, and Mac, iOS, Android, or other operating systems that are not Windows are not eligible for bounty rewards.
- Vulnerabilities in:
- user-generated content
- requiring extensive or unlikely user actions found by disabling existing security features.
- by-design product behavior where specific security policy doesn’t apply by default, for example:
- files opened from trusted locations where VBA macros are allowed to be executed.
- opening files from trusted location or printing documents, where Protected view is not enabled by default.
- components not installed by Office.
- third party components that might be installed on the system that enable the vulnerability.
- Windows Implementation of Application container
Reports from automated tools or scans that do not include a POC and additional analysis to demonstrate the exploitability of the vulnerability.
We reserve the right to reject any submission that we determine, in our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty.
RESEARCH RULES OF ENGAGEMENT
The Microsoft 365 Insider Bounty program’s scope is limited to technical vulnerabilities in Office-related products and services as outlined in the scope of this page. If you discover customer data while conducting your research, or are unclear if it is safe to proceed, please stop and contact us at firstname.lastname@example.org. The following are not permitted:
- Gaining access to any data that is not wholly your own.
- Moving beyond “proof of concept” repro steps for server-side execution issues
- Any kind of Denial of Service testing.
- Performing automated testing of services that generates significant amounts of traffic.
- Attempting phishing or other social engineering attacks against others, including our employees. The scope of this program is limited to technical vulnerabilities in the specified Microsoft Online Services.
- Using our services in a way that violates the applicable terms for that service.
Even with these prohibitions, Microsoft reserves the right to respond to any actions on its networks that appear to be malicious.
For additional information please see our FAQ.
- If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission.
- If a duplicate report provides us with new information that was previously unknown to Microsoft, we may award a differential to the duplicate submission.
- If a submission is potentially eligible for multiple bounty programs, you will receive the single highest payout award from a single bounty program.
- Microsoft reserves the right to reject any submission at our sole discretion that we determine does not meet these criteria.
Thank you for participating in the Microsoft Bug Bounty Program!
- December 7, 2018: Updated duplicate report policy and added revision history.
- August 29, 2022: Added MDAG Scope and Attack Scenario.
- January 20, 2023: Updated from "Office Insider" to "Microsoft 365 Insider".
- February 27, 2024: Increased the maximum bounty award to $30,000 USD for high impact scenarios, such as unauthenticated non-sandboxed code execution with no user interaction. Expanded the scope to include Security feature bypass and Microsoft OneNote. Introduced a tiered approach to awards for vulnerabilities that meet critical and important severity and (high/medium/low) report quality.