PROGRAM DESCRIPTION

Microsoft 365 is your productivity cloud across work and life, designed to help you achieve more with innovative Office apps, intelligent cloud services, and world-class security. The Microsoft Application Bounty Program invites researchers across the globe to identify vulnerabilities in specific Microsoft apps and share them with our team. Qualified submissions are eligible for bounty rewards from $500 to $30,000 USD.

This bounty program is subject to these terms and those outlined in the Microsoft Bounty Terms and Conditions

IN-SCOPE SERVICES AND PRODUCTS

Vulnerabilities submitted in the following apps are eligible under this bounty program. This list of in-scope apps reflects high priority, high-impact security research areas and will continue to evolve over time.  

Related Bounty Programs

Submissions identifying vulnerabilities that reproduce only in online services will be reviewed under the Online Services Bounty Program. For eligible bounty targets and awards for research in other Office products, please see the Office Insider Bounty Program. All submissions are reviewed for bounty eligibility, so don’t worry if you aren’t sure where your submission fits. We will route your report to the right program. 

GETTING STARTED

Please create a test account and test tenants for security testing and probing.

  • Microsoft Teams desktop client:
    • Sign up for Microsoft Teams free here.
    • To get started with Microsoft 365 for business, you can sign up for a free 1-month trial here.
    • Learn more about Teams on our documentation page here.
    • Learn more about the latest Teams features here.

ELIGIBLE SUBMISSIONS

The goal of the bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers using the latest version of the application.

Vulnerability submissions must meet the following criteria to be eligible for bounty awards:

  • Identify a vulnerability that was not previously reported to Microsoft.
  • Such vulnerability must be of Critical or Important severity.
  • Vulnerability must be reproducible on the latest version of Microsoft Teams desktop client running on the latest, fully patched version of Windows, Linux, or macOS. 
  • Include clear, concise, and reproducible steps, either in writing or in video format, providing our engineering team the information necessary to quickly reproduce, understand, and fix the issues.
    • Find examples here
  • Using component with known vulnerabilities 
    • Requires full proof of concept (PoC) of exploitability. For example, simply identifying an out of date library would not qualify for an award.

We request researchers include the following information to help us quickly assess their submission

  • Indicate in the vulnerability submission which high impact scenario (if any) your report qualifies for

Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.

HOW ARE AWARD AMOUNTS SET? 

Bounty awards range from $500 up to $30,000 USD. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgment if their submission leads to a vulnerability fix, and points in our Researcher Recognition Program.

If a reported vulnerability does not qualify for a bounty award under the High-Impact Scenarios, it may be eligible for a bounty award under General Awards. Eligible submissions will be awarded the single highest qualifying award.

Teams Desktop: High-Impact Scenario Awards

Scenario

Maximum Award

Remote code execution (native code in the context of the current user) with no user interaction

$30,000

Ability to obtain authentication credentials1 for other users* (note: does not include phishing)

$15,000

XSS or other (remote) code injection resulting in ability to execute arbitrary scripts in the context of teams.microsoft.com or teams.live.com with no user interaction

$10,000

Elevation of privilege2 which traverses an operating system user boundary

$10,000

XSS or other (remote) code injection resulting in ability to execute arbitrary scripts in the context of teams.microsoft.com or teams.live.com with minimal3 user interaction

$6,000

*Testing for vulnerabilities should only be performed on tenants in subscriptions/accounts owned by the program participant.

1Authentication credentials includes, without limitation, authentication tokens.

2This includes, without limitation, elevation of privilege in the macOS updater.

3Minimal user interaction includes, without limitation, the in-app native experience such as previewing a document or expanding a message.

General Awards

 

Security Impact

Report Quality

Severity

Critical

Important

Moderate

Low

Remote Code Execution

High

Medium

Low

$15,000

$10,000

$8,000

$10,000

$8,000

$5,000

$0

$0

Elevation of Privilege

High

Medium

Low

$8,000

$4,000

$3,000

$5,000

$2,000

$1,000

$0

$0

Information Disclosure

High

Medium

Low

$8,000

$4,000

$3,000

$5,000

$2,000

$1,000

$0

$0

Spoofing

High

Medium

Low

N/A

$3,000

$1,200

$500

$0

$0

Tampering

High

Medium

Low

N/A

$3,000

$1,200

$500

$0

$0

Denial of Service

High/Low

Out of Scope

N/A: vulnerabilities resulting in the listed security impact do not qualify for this severity category.

A high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write up or video containing any required background information, a description of the bug, and an attached proof of concept (PoC). Sample high- and low-quality reports are available here.  

We recognize that some issues are extremely difficult to reproduce and understand, and this will be considered when assessing the quality of a submission.

OUT OF SCOPE SUBMISSIONS AND VULNERABILITIES

MSRC is happy to receive and review each submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty reward. Here are some of the common low-severity or out of scope issues that typically do not earn bounty rewards: 

  • Publicly-disclosed vulnerabilities which have already been reported to Microsoft or are already known to the wider security community
  • Vulnerability patterns or categories for which Microsoft is actively investigating broad mitigations
  • Vulnerabilities running on mobile operating systems such as iOS or Android 
  • Vulnerabilities based on user configuration or action, for example:
    • Vulnerabilities requiring extensive or unlikely user action
    • Vulnerabilities that rely on default security settings being downgraded or the system to use uncommon configuration
  • Vulnerabilities based on third party software, extensions, or platform technologies that are not unique to in scope applications

We reserve the right to accept or reject any submission that we determine, in our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty. 

ADDITIONAL INFORMATION

For additional information, please see our FAQ.

  • If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission. 
  • If a duplicate report provides us new information that was previously unknown to Microsoft, we may award a differential to the duplicate submission.  
  • If a submission is potentially eligible for multiple bounty programs, you will receive single highest payout award from a single bounty program.
  • Microsoft reserves the right to reject any submission at our sole discretion that we determine does not meet these criteria. 

REVISION HISTORY

  • March 24, 2021: Program launched.