Secure research starts with responsible testing.
Open Source Bounty Program
Partner with Microsoft to strengthen our products and services by identifying and reporting security vulnerabilities that could impact our customers.
IMPORTANT: The Microsoft Bounty Program is subject to these terms and those outlined in the Microsoft Bounty Terms and Conditions, Microsoft Bounty Legal Safe Harbor, Rules of Engagement, Coordinated Vulnerability Disclosure (CVD), Bounty Program Guidelines, and the Microsoft Bounty Program page.
PROGRAM DESCRIPTION
The Microsoft Open-Source Bounty Program invites researchers to identify vulnerabilities in eligible Microsoft owned open-source repositories and share them with our team. Qualified submissions are eligible for bounty awards from $750 to $15,000 USD. This includes third-party and open-source components included in the service. Please note that qualifying reports must demonstrate a qualifying security impact on the specified service.
ELIGIBLE SUBMISSIONS
The goal of the Microsoft Bug Bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers.
In addition to the eligibility requirements listed on the Bounty Program Guidelines page, vulnerability submissions must meet the following criteria to be eligible for bounty awards:
- The vulnerability must be present in an open-source library by default or manifest in a first party Microsoft service that was not previously reported to, or otherwise known by, Microsoft.
- The vulnerability must be Critical or Important severity and reproducible on the most recent actively maintained branch.
We request researchers include the following information to help us quickly assess their submission:
- Submit through the MSRC Researcher Portal
Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.
SCOPE
- Azure SDKs, limited to the following:
- azure/azure-sdk
- azure/azure-sdk-for-net
- azure/azure-sdk-for-python
- azure/azure-sdk-for-js
- azure/azure-sdk-for-java
- azure/azure-sdk-for-go
- azure/azure-sdk-for-rust
- azure/azure-sdk-tools
- FluentUI
- PowerShell
- TypeScript
- Visual Studio Code
- Microsoft Agent Framework
- Monaco-editor
- Msquic
Example attack scenarios
- Vulnerabilities leading to the ability to push code to a Microsoft-owned open-source project
- Vulnerabilities leading to a supply chain compromise
- Any vulnerabilities that can lead to deserialization, remote code execution, cross site scripting, or elevation of privilege
GETTING STARTED
Please create a test account for security testing and probing. Please follow the Research Rules of Engagement to avoid harm to customer data, privacy, and service availability. If in doubt, please contact bounty@microsoft.com.
BOUNTY AWARDS
Bounty awards range from $750 up to $15,000 USD. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. If a single submission is eligible for multiple awards, the submission will be awarded the single highest qualifying award.
Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgement if their submission leads to a vulnerability fix; they may also earn points in our Researcher Recognition Program to receive swag and secure a place on the Microsoft Most Valuable Researcher list.
GENERAL AWARDS
| Severity | |||||
|---|---|---|---|---|---|
| Vulnerability Type | Report Quality | Critical | Important | Moderate | Low |
| Deserialization of Untrusted Data | High Medium Low | $15,000 $10,000 $6,000 | $10,000 $6,000 $4,000 | $0 | $0 |
| Injection (Code Injection) | High Medium Low | $15,000 $10,000 $6,000 | $10,000 $6,000 $4,000 | $0 | $0 |
| Authentication Issues | High Medium Low | $12,000 $8,000 $4,000 | $6,000 $4,000 $2,000 | $0 | $0 |
| Injection (SQL Injection and Command Injection) | High Medium Low | $12,000 $8,000 $4,000 | $6,000 $4,000 $2,000 | $0 | $0 |
| Server-Side Request Forgery (SSRF) | High Medium Low | $12,000 $8,000 $4,000 | $6,000 $4,000 $2,000 | $0 | $0 |
| Improper Access Control | High Medium Low | $12,000 $8,000 $4,000 | $6,000 $4,000 $2,000 | $0 | $0 |
| Cross Site Scripting (XSS) | High Medium Low | $8,000 $5,000 $2,500 | $4,000 $2,500 $1,250 | $0 | $0 |
| Cross-Site Request Forgery (CSRF) | High Medium Low | $8,000 $5,000 $2,500 | $4,000 $2,500 $1,250 | $0 | $0 |
| Web Security Misconfiguration | High Medium Low | $8,000 $5,000 $2,500 | $4,000 $2,500 $1,250 | $0 | $0 |
| Cross Origin Access Issues | High Medium Low | $8,000 $5,000 $2,500 | $4,000 $2,500 $1,250 | $0 | $0 |
| Improper Input Validation | High Medium Low | $8,000 $5,000 $2,500 | $4,000 $2,500 $1,250 | $0 | $0 |
| GitHub Actions | High Medium Low | $5,000 $3,000 $1,500 | $3,000 $1,500 $750 | $0 | $0 |
OUT-OF-SCOPE SUBMISSIONS AND VULNERABILITIES
Microsoft is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty award under this program.
If your submission is evaluated as out-of-scope for this individual bounty program, it may still qualify for an award under the Standard Award Policy.
Here are some of the common low-severity or out-of-scope issues that typically do not earn bounty awards:
- Publicly disclosed vulnerabilities which have already been reported to Microsoft or are already known to the wider security community
- Vulnerabilities that are addressed via documentation updates, without change to product code or function
- Security misconfiguration of a service by a user, such as the enabling of HTTP access on a storage account to allow for man-in-the-middle (MiTM) attacks
- Vulnerabilities based on user configuration or action, for example:
- Vulnerabilities requiring extensive or unlikely user actions
- Vulnerabilities in user-created content or applications
- Vulnerabilities that are limited to the local machine
- Leaked non-live or test tokens and credentials without any impact on Microsoft services
- Vulnerabilities that rely on non-default Visual Studio Code extensions
- Vulnerabilities found in Untrusted pickle files on ONNX Runtime
- Vulnerabilities found in listed in scope libraries that are in:
- Hackathon repositories
- Samples
- Demo code
- Dependency confusion issues
- Server-side information disclosure, such as IPs, server names, and most stack traces
- Low impact CSRF bugs (such as logoff)
- Vulnerabilities based on third parties that do not demonstrate a qualifying security impact on the specified service
- Training, documentation, samples, and community forum sites related to Microsoft Open Source products and services are out-of-scope for bounty awards
Microsoft reserves the right to reject any submission that we determine, at our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty.
ADDITIONAL INFORMATION
For additional information, please see our FAQ.
REVISION HISTORY
December 11, 2025: Program launched