Skip to main content
Bewerten 

Microsoft Bug Bounty Programs FAQ

Want to get paid to find bugs? Read on...

 
 
Getting started

What are the official terms for Microsoft’s bounty programs?

Please see complete

  • Mitigation Bypass Bounty and BlueHat Bonus for Defense program terms here
  • Online Services Bug Bounty program terms here
  • ‘Project Spartan’ Bug Bounty program terms here

Where can I get the version of Microsoft’s platform that is in scope for Mitigation Bypass bounties?

Download the latest version of Windows here.

How long will these programs run?

The Mitigation Bypass Bounty, BlueHat Bonus for Defense, and Online Services Bounty Programs will run indefinitely, at Microsoft’s discretion.
The Project Spartan Bug Bounty program will run from April 22, 2015 to June 22, 2015.

Is product [x] in scope for the bounty programs?

Please read the above terms to understand what is currently in scope for Microsoft’s bounty programs. The increased scope of the Bounty Program will be announced on www.microsoft.com/bountyprograms.

Is there an age limit for participants?

Researchers 14 years of age or older may submit bypasses, defense ideas or bugs to the program. If you are at least 14 years old but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s consent prior to participating in this program.

Can I get a list of mitigation bypasses/defensive ideas or services bugs, so I don’t enter something you don’t already know about?

We cannot provide a list of ideas or bugs we have evaluated.

Is there an age limit for participants?

Researchers 14 years of age or older may submit bypasses, defense ideas or bugs to the program. If you are at least 14 years old but are considered a minor in your place of residence, you must ask your parent’s or legal guardian’s consent prior to participating in this program. Please see the program terms here for full information on eligibility.

 
Project Spartan Bounty Program

What is the ‘Project Spartan’ bounty program?

The ‘Project Spartan’ bounty program is a beta browser bounty program on Windows 10 Technical Preview. Microsoft will award security researchers for critical and important vulnerabilities in Spartan. You can learn more about the bounty program and Project Spartan from the Program terms

General Q &A

What are the terms for the ‘Project Spartan’ bounty program?

Please see complete program terms here

Where can I download the latest version of Windows that supports Project Spartan?

Download the Windows 10 Technical Preview here

Scope

What types of reports qualify for this browser bounty program?

Please submit all bugs using the bug submission guidelines found here and see the Project Spartan terms here for detailed information on eligible vulnerabilities.

What if I find a vulnerability in a non-eligible service?

You will receive credit for any verified vulnerabilities you report to secure@microsoft.com following our Coordinated Vulnerability Disclosure practices, but non-eligible services will not receive a bounty payment.

Will I be awarded a bounty for the current Internet Explorer browsers excluding Project Spartan?

You will receive credit for any verified vulnerabilities you report to secure@microsoft.com following our Coordinated Vulnerability Disclosure practices, however any released version of Microsoft browsers will not be eligible to receive a bounty.

 
Online Services Bounty Program

What is the Microsoft Online Services bounty program?

The Online Services Bounty gives individuals across the globe an opportunity to submit vulnerability reports on eligible Online Services provided by Microsoft. Qualified submissions are eligible for a minimum payment of $500 USD, up to a maximum of $15,000 USD. Bounties will be paid out at Microsoft’s discretion based on the impact of the vulnerability

General Q&A 

What are the terms for the Online Services bounty program?

Please see complete program terms here

What sort of testing can I do to find vulnerabilities?

Any testing should be confined to tenants in a subscription owned by the tester i.e. you should not be testing other customers’ tenants. Additionally, do not conduct any denial of service attacks or any testing that behaves similarly such as brute forcing of accounts. For more information, see the program terms.

Where can I setup a test account for Microsoft’s Online Services bounty program?

Different Online Services may have different ways to create accounts for testing.

For Office 365, you can set up a trial tenant and account here. In all cases, where possible, include the string “MSOBB” in your account name and/or tenant name in order to identify a tenant as being in use for testing as part of the bug bounty program.

For Azure, you can start a free trial to use as your test account/subscription here. In all cases where possible, include the string “MSOBB” in your account name and/\or tenant name in order to identify a tenant as being in use for testing as part of the bug bounty program.

Scope

Which online services are eligible for a Bounty?

The Online services in scope for the bounty are listed by domain in the program terms

What types of reports qualify for an Online Services Bounty?

Please submit all bugs using the bug submission guidelines found here and see the Microsoft Online Services Bug Bounty program terms here for detailed information on eligible domains.

What if I find a vulnerability in a non-eligible service?

You will receive credit for any verified vulnerabilities you report, following our Coordinated Vulnerability Disclosure practices, to secure@microsoft.com but non-eligible services will not receive a bounty payment.

When will you make other Microsoft Services eligible for a Bounty?

We are constantly evaluating products and services for bounty programs, however, we do not give any timelines on if or when we might add additional services.

 
Mitigation Bypass Bounty Program

What’s a mitigation bypass?

A mitigation bypass technique is designed to circumvent protections that are built in to operating systems. For example, the Return Oriented Programming (ROP) technique is used by some attackers against the DEP (Data Execution Prevention) mitigation. Multiple known and unknown vulnerabilities can be used to develop a new Mitigation Bypass technique

General Q&A

What's the Mitigation Bypass bounty?

The Mitigation Bypass Bounty Program asks participants to submit truly novel mitigation bypass techniques that target our latest Windows platform. Qualified mitigation bypass submissions are eligible for payment of up to $100,000 USD, based on the quality and complexity of the bypass technique.

Can I get a list of mitigation bypasses/defensive ideas or services bugs, so I don’t enter something you don’t already know about?

We cannot provide a list of ideas or bugs we have evaluated.

Where can I get the version of Microsoft’s platform that is in scope for Mitigation Bypass bounties?

Download the latest version of Windows here.

How will these techniques be addressed in Windows?

Microsoft takes this bounty program extremely seriously and looks forward to acting on the resulting research to help protect our customers as quickly and effectively as possible.

What’s the news I heard about in November 2013 regarding the expansion of the Mitigation Bypass Bounty?

As of November 4, 2013, Microsoft started accepting submissions for bounty consideration from those who discover new mitigation bypass techniques being used in active attacks. This requires pre-registration through bounty@microsoft.com. See our full announcement here .

How do I know if I should Pre-Register?

If you are submitting your own mitigation bypass idea that you invented, then you will not pre-register. Simply send it to secure@microsoft.com. If you are submitting a mitigation bypass technique that you found in use in the wild, then you will need to pre-register before you submit. Email bounty@microsoft.com to get started. Please see complete program terms here.

Are there additional requirements for an organization to participate?

Yes, your organization will be required to complete a pre-registration process in order to participate in the program. Please email bounty@microsoft.com for complete details.

Is there a difference in submission requirements?

The submission requirements are similar – Invent or find a new mitigation bypass technique and then send Proof-of-Concept exploit code and a technical whitepaper explaining the new technique in detail. For individuals submitting his or her own mitigation bypass idea that he or she invented, send to secure@microsoft.com. For individuals or organizations submitting a mitigation bypass technique that they found, they will need to pre-register at bounty@microsoft.com. Please see complete program terms here.

Will reported bugs that affect previous versions of Windows be fixed?

We will gladly accept reports of vulnerabilities that do not meet our bug bounty terms. Please submit all other vulnerabilities, following our posted Coordinated Vulnerability Disclosure practices, by emailing us at secure@microsoft.com.

Scope

What’s in scope?

We will gladly accept and pay for validated, truly novel mitigation bypass techniques that are effective against our latest publicly available platform—as of the program’s June 26, 2013, launch date. Please see complete program terms here.

I found a vulnerability, but it doesn’t meet the terms. Is Microsoft still interested?

Yes! Please submit all other vulnerabilities, following our posted Coordinated Vulnerability Disclosure practices, by emailing us at secure@microsoft.com.

 
BlueHat Defense Bonus Program

What is the BlueHat Bonus for Defense?

The BlueHat Bonus for Defense allows security researchers to submit a technical white paper to describe a defensive idea that could effectively block a mitigation bypass technique. Qualifying defense submissions will receive up to $100 ,000 USD, depending on the quality and uniqueness of the defense idea.

General Q&A 

Are Enhanced Mitigation Experience Toolkit (EMET) bypasses in scope?

No. Bypasses that work against the default configurations of our products are significantly more useful to attackers considering the size of the affected population. EMET has some known limitations, and is designed as a defense in depth measure to break some known exploitation techniques in common use by attackers.

Can I submit a defense against someone else’s mitigation bypass technique?

Yes, if the defense submission qualifies as being new and practical as defined in the terms, we will award up to $100,000 USD for a defense that can block existing mitigation bypasses.

What are the terms for the Mitigation Bypass Bounty and BlueHat Bonus for Defense Program?

Please see complete program terms here.

 
Questions about the past and future of Microsoft bounty programs

When are you going to add a bounty for [x]?

We’re constantly evaluating our programs to determine how to increase the win-win between the security research community and Microsoft’s customers.

I submitted a vulnerability before you had bounties. Can I get paid?

We have long been recognizing the work of security researchers who help us secure our products in a variety of ways, from acknowledgement in a Microsoft bulletin to invitations to events like the Researcher Appreciation Party in Las Vegas. The bounty programs represent the latest in our ongoing investment in working collaboratively with security researchers.

What was that Internet Explorer bounty program all about?

The Internet Explorer 11 Preview bounty is now closed. It was active from June 26, 2013 - July 26, 2013. For a historical look at the Internet Explorer 11 Preview bounty terms, please see details here. To see a list of researchers who have participated in our bounty programs, see our hall of fame here.

What’s the buzz about the Online Services bounty?

Beginning September 2014, Microsoft started giving out bounties on submissions for select Online Services properties. On April 22, 2015, we increased the scope of our Online Services Bug Bounty program to include additional properties from O365 and Azure.

Is Microsoft starting a ‘Project Spartan’ bounty program and where can I learn more about it?

On 22 April 2015, we added the ‘Project Spartan’ bounty program. This is a beta browser bounty program on Windows 10 Technical Preview. The goal of the program is to minimize customer impact and incentivizing security researchers to report Spartan vulnerabilities before general availability. You can learn more about the program from the program terms.

 

BlueHat Archive

See past BlueHat Sessions

BlueHat v12

BlueHat v11

BlueHat v10

Microsoft führt eine Onlineumfrage durch, um Ihre Meinung zur -Website zu erfahren. Wenn Sie sich zur Teilnahme entscheiden, wird Ihnen die Onlineumfrage angezeigt, sobald Sie die -Website verlassen.

Möchten Sie teilnehmen?