Secure research starts with responsible testing.
M365 Bounty Program
Partner with Microsoft to strengthen our products and services by identifying and reporting security vulnerabilities that could impact our customers.
IMPORTANT: The Microsoft Bounty Program is subject to these terms and those outlined in the Microsoft Bounty Terms and Conditions, Microsoft Bounty Legal Safe Harbor, Rules of Engagement, Coordinated Vulnerability Disclosure (CVD), Bounty Program Guidelines, and the Microsoft Bounty Program page.
PROGRAM DESCRIPTION
The Microsoft 365 Bounty Program invites researchers to identify and submit vulnerabilities in specific Microsoft domains and endpoints. Qualified submissions are eligible for bounty awards from $1,250 to $19,500 USD. This includes third-party and open-source components included in the service. Please note that qualifying reports must demonstrate a qualifying security impact on the specified service.
ELIGIBLE SUBMISSIONS
The goal of the Microsoft Bug Bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers.
In addition to the eligibility requirements listed on the Bounty Program Guidelines page, vulnerability submissions must meet the following criteria to be eligible for bounty awards:
- Such vulnerability must be of Critical or Important severity as defined by the Microsoft Vulnerability Severity Classification for Online Services.
- The vulnerability must be reproducible in one of the in-scope products or services.
We request researchers include the following information to help us quickly assess their submissions:
- Indicate in the vulnerability submission which high impact scenario (if any) your request qualifies for.
We request researchers include the following information to help us quickly assess their submission:
Submit through the MSRC Researcher Portal.
Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.
SCOPE
Most vulnerabilities submitted in the following services are eligible under this bounty program:
- Office 365
- Microsoft Account
- Security Center
- security.microsoft.com
- compliance.microsoft.com
- Outlook
- outlook.office365.com
- outlook.office.com
- outlook.live.com
- outlook.com
- Teams
- teams.microsoft.com
- teams.live.com
- join.microsoft.com
- Lync
- lync.com
- SharePoint Online
- sharepoint.com (excluding user-generated content)
- sharepointonline.com (excluding user-generated content)
- svc.ms
- OneDrive
- onedrive.live.com
- onedrive.com
- 1drv.com (excluding user-generated content)
- livefilestore.com (excluding user-generated content)
- storage.live.com
- Viva
- Sway
- sway.com
- sway.office.com
- Tasks
- tasks.office.com
- Forms
- forms.office.com
- Bing
- Bing.com
- Other
- portal.office.com
- admin.microsoft.com
- www.office.com (subdomains are not in-scope unless otherwise listed)
- webshell.suite.office.com
- protection.office.com
- officeapps.live.com
- apis.live.net
- settings.live.net
- policies.live.net
Only the listed domains and endpoints are eligible for bug bounty awards. Subdomains of in-scope domains are also considered in-scope unless otherwise listed in the Out-of-Scope Submission and Vulnerabilities section of this bounty program. Testing for vulnerabilities should only be performed on tenants in subscriptions/accounts owned by the program participant.
Please check “WHOIS” records for all resolved IPs prior to testing to verify ownership by Microsoft. Some third parties host sites for Microsoft under subdomains owned by Microsoft, and these third parties are not in scope for this bug bounty program.
GETTING STARTED
Please follow the guidance below to create a test account for security testing and probing. Additionally, please follow the Research Rules of Engagement to avoid harm to customer data, privacy, and service availability. If in doubt, please contact bounty@microsoft.com.
- For Office 365 services, you can set up your test account here.
- For Microsoft Account, you can set up your test account here.
- Start your free trial for Microsoft Viva here.
- Start your free trial for Viva Pulse here.
- Learn more about Office 365 on our documentation page here.
In all cases, where possible, include the string “MSOBB” in your account name and/or tenant name in order to identify it as being used for security research.
BOUNTY AWARDS
Bounty awards range from $1,250 up to $19,500 USD. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. If a single submission is eligible for multiple awards, the submission will be awarded the single highest qualifying award.
Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgement if their submission leads to a vulnerability fix; they may also earn points in our Researcher Recognition Program to receive swag and secure place on the Microsoft Most Valuable Researcher list.
If a reported vulnerability does not qualify for a bounty award under the High Impact Scenarios, it may be eligible for a bounty award under General Awards (see applicable chart below).
HIGH IMPACT SCENARIOS
| Scenario | Multiplier |
|---|---|
| Remote code execution through untrusted input (CWE-94 "Improper Control of Generation of Code ('Code Injection')") | +30% |
| Remote code execution through untrusted input (CWE-502 "Deserialization of Untrusted Data") | +30% |
| Unauthorized Cross-tenant and cross-identity sensitive data1 leakage (CWE-200 "Exposure of Sensitive Information to an Unauthorized Actor") | +20% |
| Unauthorized cross-identity sensitive data leakage (CWE-488 "Exposure of Data Element to Wrong Session") | +20% |
| "Confused deputy" vulnerabilities that can be used in a practical attack that accesses resources in a way that bypasses authentication (CWE-918 "Server-Side Request Forgery (SSRF)") | +15% |
1 Sensitive data includes, without limitation, personal information, emails, or chats.
GENERAL AWARDS
| Severity | |||||
|---|---|---|---|---|---|
| Security Impact | Report Quality | Critical | Important | Moderate | Low |
| Deserialization of Untrusted Data | High Medium Low | $15,000 $10,000 $6,000 | $10,000 $6,000 $4,000 | $0 | $0 |
| Injection (Code Injection) | High Medium Low | $15,000 $10,000 $6,000 | $10,000 $6,000 $4,000 | $0 | $0 |
| Authentication Issues | High Medium Low | $12,000 $8,000 $4,000 | $6,000 $4,000 $2,000 | $0 | $0 |
| Information Disclosure | High Medium Low | $12,000 $8,000 $4,000 | $6,000 $4,000 $2,000 | $0 | $0 |
| Injection (SQL Injection and Command Injection) | High Medium Low | $12,000 $8,000 $4,000 | $6,000 $4,000 $2,000 | $0 | $0 |
| Server-Side Request Forgery (SSRF) | High Medium Low | $12,000 $8,000 $4,000 | $6,000 $4,000 $2,000 | $0 | $0 |
| Improper Access Control | High Medium Low | $12,000 $8,000 $4,000 | $6,000 $4,000 $2,000 | $0 | $0 |
| Cross Site Scripting (XSS) | High Medium Low | $8,000 $5,000 $2,500 | $4,000 $2,500 $1,250 | $0 | $0 |
| Cross-Site Request Forgery (CSRF) | High Medium Low | $8,000 $5,000 $2,500 | $4,000 $2,500 $1,250 | $0 | $0 |
| Web Security Misconfiguration | High Medium Low | $8,000 $5,000 $2,500 | $4,000 $2,500 $1,250 | $0 | $0 |
| Cross Origin Access Issues | High Medium Low | $8,000 $5,000 $2,500 | $4,000 $2,500 $1,250 | $0 | $0 |
| Improper Input Validation | High Medium Low | $8,000 $5,000 $2,500 | $4,000 $2,500 $1,250 | $0 | $0 |
OUT OF SCOPE SUBMISSIONS AND VULNERABILITIES
Microsoft is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty reward under this program.
If your submission is evaluated as out-of-scope for this individual bounty program, it may still qualify for an award under the Standard Award Policy.
Here are some of the common out-of-scope issues that typically do not earn bounty awards:
- Publicly-disclosed vulnerabilities which have already been reported to Microsoft or are already known to the wider security community
- Vulnerability patterns or categories for which Microsoft is actively investigating broad mitigations. As of June 2023, for example, these include, without limitation:
- Vulnerabilities that rely on Swagger API
- Vulnerabilities that rely on Akamai ARL misconfiguration
- Dependency Confusion Issues
- Out-of-scope vulnerability types, including:
- Server-side information disclosure such as IPs, server names and most stack traces
- Low impact CSRF bugs (such as logoff)
- Denial of Service issues
- Sub-Domain Takeovers
- Cookie replay vulnerabilities
- URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
- ”Cross Site Scripting” bugs in SharePoint that require “Designer” or higher privileges in the target’s tenant
- Out-of-scope subdomains, including:
- attachments.office.net
- attachments.live.net
- attachments.outlook.live.net
- Out-of-scope subdomains may be used to demonstrate vulnerabilities within domains or endpoints listed in the In-Scope Domains, Endpoints, and Products section of this bounty program
- Vulnerabilities based on user configuration or action, for example:
- Vulnerabilities requiring extensive or unlikely user actions
- Vulnerabilities in user-created content or applications
- For example in a *.sharepoint.com domain, if a tenant has publicly exposed their own html page with any kind of vulnerability (i.e. DOM-based XSS) this bug is not eligible for bounty, and will not be accepted as a vulnerability
- Security misconfiguration of a service by a user, such as the enabling of HTTP access on a storage account to allow for man-in-the-middle (MiTM) attacks
- Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
- Vulnerabilities used to enumerate or confirm the existence of users or tenants
- Vulnerabilities in the web application that only affect unsupported browsers and plugins
- Vulnerabilities based on third parties that do not demonstrate a qualifying security impact on the specified service
- Training, documentation, samples, and community forum sites related to Microsoft 365 bounty program products and services are not in scope for bounty awards
- Vulnerabilities requiring bypassing SafeLinks, a protection feature within Outlook
- Vulnerabilities found in Microsoft Partner portals, including partner.microsoft.com or aipartner.microsoft.com
Microsoft reserves the right to reject any submission that we determine, at our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty.
ADDITIONAL INFORMATION
For additional information, please see our FAQ.
REVISION HISTORY
- September 2014: Program launched.
- April 2015: Program scope updated.
- August 2015: Program scope updated and bounty program name changed from Online Services to Cloud bounty program.
- July 17, 2018: identity related vulnerabilities moved into the Microsoft Identity Bounty Program. (https://www.microsoft.com/msrc/bounty-microsoft-identity)
- December 7, 2018: Updated program introduction, FAQ link, and added revision history section.
- January 17, 2019: Updated award ranges based on impact, severity, and report quality. Added in-scope summary.
- June 12, 2019: Added outlook.live.com to bounty scope.
- July 17, 2019: Added Skype.com and tasks.office.com to bounty scope
- August 5, 2019: Cloud Bounty Program separated into Online Services Bounty Program and Azure Bounty Program. Azure-related scope moved to Azure Bounty Program. Updated pentesting guidance.
- September 2, 2020: Added "training, documentation, samples, and community forum sites" to the list of out of scope submissions. Combined "Bounty Awards" and "Additional Information" sections.
- September 15, 2020: Added returned "forms.office.com" to bounty scope, removed "azure.microsoft.com/en-us/blog"
- September 21, 2020: Removed "www.office.com" from bounty scope, removed "portal.azure.com" from this bounty scope. "portal.azure.com" is covered under the Azure Bounty Program.
- January 11, 2021: Clarified that attachments.office.net, attachments.live.net, and attachments.outlook.live.net are not bounty eligible endpoints.
- January 28, 2021: Added to out of scope - vulnerabilities that rely on Swagger API.
- February 8, 2021: Updated list of “in-scope domains and endpoints”. Added admin.microsoft.com, www.office.com, webshell.suite.office.com, security.microsoft.com, compliance.microsoft.com, sharepointonline.com, livefilestore.com, 1drv.com, svc.ms, teams.live.com, assets-yammer.com to bounty scope. Removed msg.skype.com, asm.skype.com, and manage.windowsazure.com from bounty scope.
- July 7, 2021: Added to out of scope - vulnerabilities requiring bypassing SafeLinks.
- August 26, 2021: Added to out of scope - vulnerabilities that rely on Akamai ARL misconfiguration.
- September 14, 2021: Added to out of scope – vulnerabilities in Microsoft Partner portals, including partner.microsoft.com or aipartner.microsoft.com.
- February 24, 2022: Added clarification that vulnerabilities addressed via product documentation updates are out of scope.
- April 14, 2022: Added High Impact Scenarios and Updated In-Scope domains list.
- April 18, 2023: Added reference to the Microsoft Vulnerability Severity Classification for Online Services for the severity in eligible submissions. Updated bounty award table based on vulnerability type.
- April 27, 2023: Added bing.com to In-Scope Domains and Endpoints.
- June 1, 2023: Added Dependency Confusion Issues to Out-of-Scope.
- July 13, 2023: Added "Improper Input Validation" as a vulnerability type in the bounty award table.
- November 19, 2024: Temporary 50% increase in High Impact Scenario amounts for Zero Day Quest event.
- January 28, 2025: Added Viva Engage, Glint, Learning, Pulse, and Feature Access Control to In-Scope Domains, Endpoints, and Products.
- February 27, 2025: Added link for Viva Pulse in the Getting Started section.
- March 3, 2025: Removed reference to Zero Day Quest and bonus multipliers as the research challenge ended.
- May 13, 2025: Updated Research Rules of Engagement section.
- December 11, 2025: Increased award amounts, updated hyperlinks, and standardized language.