Microsoft Bounty Programs FAQ
Want to get paid to find bugs? Read on...
What are the official terms for Microsoft’s bounty programs?
Please see complete
How long will these programs run?
The Mitigation Bypass Bounty, Bounty for Defense, and Online Services Bug Bounty Programs will run indefinitely, at Microsoft’s discretion.
Is product [x] in scope for the bounty programs?
Please read the above terms to understand what is currently in scope for Microsoft’s bounty programs. The increased scope of the bounty program will be announced on www.microsoft.com/bountyprograms.
Is there an age limit for participants?
Researchers 14 years of age or older may submit bypasses, defense ideas or bugs to the program. If you are at least 14 years old but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s consent prior to participating in this program.
Online Services Bounty Program
What is the Microsoft Online Services bounty program?
The Online Services Bounty gives individuals across the globe an opportunity to submit vulnerability reports on eligible Online Services provided by Microsoft. Qualified submissions are eligible for a minimum payment of $500 USD, up to a maximum of $15,000 USD. Bounties will be paid out at Microsoft’s discretion based on the impact of the vulnerability.
Between August 5 and October 5 2015, qualified submissions of vulnerabilities in Microsoft Account are eligible for “double bounties”, to a maximum of $30,000 USD. For full details, see the complete program terms here.
What are the terms for the Online Services bounty program?
Please see complete program terms here
What sort of testing can I do to find vulnerabilities?
Any testing should be confined to accounts owned by the tester or tenants in a subscription owned by the tester i.e. you should not be testing other customers’ tenants or accounts. Additionally, do not conduct any denial of service attacks or any testing that behaves similarly such as brute forcing of accounts. If you believe you’ve found a vulnerability that requires such testing, contact the program administrators for information on how to proceed. For more information, see the program terms.
Where can I setup a test account for Microsoft’s Online Services bounty program?
Different Online Services may have different ways to create accounts for testing.
For Office 365, you can set up a trial tenant and account here.
For Azure, you can start a free trial to use as your test account/subscription here.
For Microsoft Account, you can create a free account to use as a test account here.
In all cases, where possible, include the string “MSOBB” in your account name and/or tenant name in order to identify a tenant as being in use for testing as part of the bug bounty program.
Which online services are eligible for a Bounty?
The Online Services in scope for the bounty are listed by domain in the program terms
What types of reports qualify for an Online Services Bounty?
What if I find a vulnerability in a non-eligible service?
You will receive credit for any verified vulnerabilities you report, following our Coordinated Vulnerability Disclosure practices, to firstname.lastname@example.org but non-eligible services will not receive a bounty payment.
When will you make other Microsoft Services eligible for a Bounty?
We are constantly evaluating products and services for bounty programs, however, we do not give any timelines on if or when we might add additional services.
Mitigation Bypass Bounty Program
What’s a mitigation bypass?
A mitigation bypass technique is designed to circumvent protections that are built in to operating systems. For example, the Return Oriented Programming (ROP) technique is used by some attackers against the DEP (Data Execution Prevention) mitigation. Multiple known and unknown vulnerabilities can be used to develop a new Mitigation Bypass technique
What's the Mitigation Bypass bounty?
The Mitigation Bypass Bounty Program asks participants to submit truly novel mitigation bypass techniques that target our latest Windows platform. Qualified mitigation bypass submissions are eligible for payment of up to $100,000 USD, based on the quality and complexity of the bypass technique.
Can I get a list of mitigation bypasses/defensive ideas or services bugs, so I don’t enter something you don’t already know about?
We cannot provide a list of ideas or bugs we have evaluated.
Where can I get the version of Microsoft’s platform that is in scope for Mitigation Bypass bounties?
Download the latest version of Windows here.
How will these techniques be addressed in Windows?
Microsoft takes this bounty program extremely seriously and looks forward to acting on the resulting research to help protect our customers as quickly and effectively as possible.
What’s the news I heard about in November 2013 regarding the expansion of the Mitigation Bypass Bounty?
As of November 4, 2013, Microsoft started accepting submissions for bounty consideration from those who discover new mitigation bypass techniques being used in active attacks. This requires pre-registration through email@example.com. See our full announcement here .
How do I know if I should Pre-Register?
If you are submitting your own mitigation bypass idea that you invented, then you will not pre-register. Simply send it to firstname.lastname@example.org. If you are submitting a mitigation bypass technique that you found in use in the wild, then you will need to pre-register before you submit. Email email@example.com to get started. Please see complete program terms here.
Are there additional requirements for an organization to participate?
Yes, your organization will be required to complete a pre-registration process in order to participate in the program. Please email firstname.lastname@example.org for complete details.
Is there a difference in submission requirements?
The submission requirements are similar – Invent or find a new mitigation bypass technique and then send Proof-of-Concept exploit code and a technical whitepaper explaining the new technique in detail. For individuals submitting his or her own mitigation bypass idea that he or she invented, send to email@example.com. For individuals or organizations submitting a mitigation bypass technique that they found, they will need to pre-register at firstname.lastname@example.org. Please see complete program terms here.
Will reported bugs that affect previous versions of Windows be fixed?
We will gladly accept reports of vulnerabilities that do not meet our bug bounty terms. Please submit all other vulnerabilities, following our posted Coordinated Vulnerability Disclosure practices, by emailing us at email@example.com.
What’s in scope?
We will gladly accept and pay for validated, truly novel mitigation bypass techniques that are effective against our latest publicly available platform—as of the program’s June 26, 2013, launch date. Please see complete program terms here.
I found a vulnerability, but it doesn’t meet the terms. Is Microsoft still interested?
Yes! Please submit all other vulnerabilities, following our posted Coordinated Vulnerability Disclosure practices, by emailing us at firstname.lastname@example.org.
Bounty for Defense Program
What is the Bounty for Defense?
The Bounty for Defense allows security researchers to submit a technical white paper to describe a defensive idea that could effectively block a mitigation bypass technique. Qualifying defense submissions will receive up to $100 ,000 USD, depending on the quality and uniqueness of the defense idea.
Are Enhanced Mitigation Experience Toolkit (EMET) bypasses in scope?
No. Bypasses that work against the default configurations of our products are significantly more useful to attackers considering the size of the affected population. EMET has some known limitations, and is designed as a defense in depth measure to break some known exploitation techniques in common use by attackers.
Can I submit a defense against someone else’s mitigation bypass technique?
Yes, if the defense submission qualifies as being new and practical as defined in the terms, we will award up to $100,000 USD for a defense that can block existing mitigation bypasses.If you have a defensive technique and corresponding exploits to prove the technique works, you will be eligible for this program.
What are the terms for the Mitigation Bypass Bounty and Bounty for Defense Program?
Please see complete program terms here.
Questions about the past and future of Microsoft bounty programs
When are you going to add a bounty for [x]?
We’re constantly evaluating our programs to determine how to increase the win-win between the security research community and Microsoft’s customers.
I submitted a vulnerability before you had bounties. Can I get paid?
We have long been recognizing the work of security researchers who help us secure our products in a variety of ways, from acknowledgement in a Microsoft bulletin to invitations to events like the Researcher Appreciation Party in Las Vegas. The bounty programs represent the latest in our ongoing investment in working collaboratively with security researchers.
What’s the buzz about the Online Services bounty?
Beginning September 2014, Microsoft started giving out bounties on submissions for select Online Services properties. On April 22, 2015, we increased the scope of our Online Services Bug Bounty program to include additional properties from O365 and Azure, and in August 2015 we again expanded the scope to include Microsoft Account.
Wasn’t there a Microsoft Edge technical preview bounty program?
The Project Spartan bounty program is now closed. It ran from 22 April 2015 to 22 June 2015. This was a beta browser bounty program on Windows 10 Technical Preview to minimize customer impact and incentivize security researchers to report Edge vulnerabilities before general availability.
What was that Internet Explorer bounty program all about?
The Internet Explorer 11 Preview bounty is now closed. It was active from June 26, 2013 - July 26, 2013. For a historical look at the Internet Explorer 11 Preview bounty terms, please see details here. To see a list of researchers who have participated in our bounty programs, see our hall of fame here.
About the Program