Skip to main content

Microsoft Office Insider Builds on Windows Bounty Program Terms

PROGRAM DESCRIPTION
We are excited to launch a security vulnerability bounty program for Microsoft Office Insider on Windows Desktop. The program duration is from March 15, 2017 to June 15, 2017. For this duration, individuals across the globe can receive monetary rewards for submitting security vulnerabilities found in Microsoft Office Insider slow build shipping on the latest, fully patched version of Windows. Office Insider preview updates are delivered to customers in different rings. For the bounty program, we request you submit bugs on the Office Insider Preview slow ring. Check out https://products.office.com/en-us/office-insider and https://products.office.com/en-us/try for more information.

Qualified submissions may be eligible for payment from a minimum of $500 USD to $15,000 USD, and bounties will be paid out at Microsoft’s sole discretion based on the quality and complexity of the vulnerability. Certain submissions may be eligible for bounties of more than $15,000.

WHAT CONSTITUTES AN ELIGIBLE SUBMISSION?

Vulnerabilities submitted to Microsoft must meet the following criteria to be eligible for payment:

  • Identify an original and previously unreported vulnerability in the current Office Insider build on a fully patched Windows 10 Desktop
  • The vulnerability must reproduce on the most recent Office Insider slow build to qualify for a bounty
    • If a submission reproduces in a previous Office Insider slow build but not the current Office slow build available at the time of your submission, then the submission is ineligible
  • Include concise reproducibility steps that are easily understood. (This allows submissions to be processed as quickly as possible and supports the highest payment for the type of vulnerability being reported.)
  • Include the Office version number and slow build number on which the vulnerability reproduces
    • To find the number, go to File -> Account -> Office update (version and build number)

Microsoft may reject any submission that it determines (in its sole discretion) does not meet these criteria, or for any other reason.

HOW ARE PAYMENT AMOUNTS SET?

  • If we receive multiple eligible bug reports for the same issue from different external parties, the bounty may be granted to the first eligible submission we receive based on the criteria mentioned above.
  • If a duplicate report provides us new information that adds value to the vulnerability investigation, we may award a differential to the duplicate submission.
  • The first eligible external report received on an internally known issue under active development will receive a maximum of $1,500 USD

The payment range for eligible submissions will be based upon the following:

Vulnerability ImpactFunctioning ExploitProof of conceptReport QualityPotential Payout range (USD) *
Elevation of privilege via Office Protected View sandbox escape (excludes vulnerabilities in components and libraries not installed by Office or AppContainer sandbox, that are applicable to any application using them)NoRequiredHighUp to $15,000
NoRequiredLowUp to $9,000
Macro execution by bypassing security policies to block Office macros in Word, Excel, and PowerPoint.NoRequiredHighUp to $15,000
NoRequiredLowUp to $9,000
Code execution by bypassing Outlook’s automatic attachment block policies for a predefined set of extensions, listed below, that are by default blocked by Outlook.NoRequiredHighUp to $9,000
NoRequiredLowUp to $6,000

*Higher payouts are possible, at Microsoft’s sole discretion, based on entry quality and complexity

DEFINITIONS FOR ELIGIBLE SUBMISSIONS:

Elevation of privilege via Office Protected View sandbox escape
To help keep users safe, Office uses Protected View to open untrusted documents. We are looking for researchers to send us information on Office based techniques to escape the sandbox and other privilege escalations.

Bypass of default security policy to block macro execution
By default, the macro security policies block execution of macros without user interaction. In this bounty program, we are encouraging researchers to send us information about vulnerabilities that would allow automatic macro execution in Microsoft Word, Excel and PowerPoint without additional user interaction in the default configuration and without trusting the document.

Bypassing the attachment block list in Outlook
Several file extensions are currently blocked as attachments in Outlook. We’re looking for techniques that will enable bypassing the existing block policies for the list of extensions detailed below.

The most current list of blocked extensions is:

ade;adp;app;asp;bas;bat;cer;chm;cmd;cnt;com;cpl;crt;csh;der;diagcab;exe;
fxp;gadget;grp;hlp;hpj;hta;inf;ins;isp;its;jar;jnlp;js;jse;ksh;lnk;mad;maf;mag;
mam;maq;mar;mas;mat;mau;mav;maw;mcf;mda;mdb;mde;mdt;mdw;mdz;
msc;msh;msh1;msh2;msh1xml;msh2xml;mshxml;msi;msp;mst;ops;osd;
pcd;pif;pl;plg;prf;prg;ps1;ps2;ps1xml;ps2xml;psc1;psc2;pst;reg;scf;scr;sct;
shb;shs;tmp;url;vb;vbe;vbp;vbs;vsmacros;vsw;ws;wsc;wsf;wsh;xbap;xll;xnk

For more information on blocked attachments in Outlook, please see https://support.office.com/en-us/article/Blocked-attachments-in-Outlook-434752E1-02D3-4E90-9124-8B81E49A8519

Note: This will NOT cover cases where a file extension not currently blocked as an attachment can lead to RCE. For example, we don’t block some executable attachment types installed by third party software.

WHAT CONSTITUTES AN INELIGIBLE SUBMISSION?

The aim of the bug bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our users and our users’ data. While we encourage any submissions that describe security vulnerabilities in our browsers, the following are examples of vulnerabilities that will not earn a bounty reward under this program:

  • Vulnerabilities in anything earlier than the current Office Insider slow build on Windows Desktop
  • Vulnerabilities in user-generated content
  • Vulnerabilities requiring extensive or unlikely user actions
  • Vulnerabilities found by disabling existing security features
  • Vulnerabilities in components not installed by Office
  • Vulnerabilities in third party components that might be installed on the system that enable the vulnerability
  • Vulnerabilities about escaping Protected View where Protected View is explicitly not activated in Office code or enabled by default for the reported scenario.
  • Vulnerabilities in the Application container
  • Any other category of vulnerability that Microsoft determines to be ineligible, in its sole discretion.

We reserve the right to reject any submission that we determine, in our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty.

BOUNTY PROGRAM FREQUENTLY ASKED QUESTIONS AND PROGRAM REQUIREMENTS

It is your responsibility to comply with the Microsoft Bounty Program – Comprehensive Terms listed in the FAQ. Please see the Microsoft Bounty Program FAQ to get detailed instructions on:

  1. Reporting bugs to Microsoft
  2. Microsoft’s triage and payment process
  3. Eligibility criteria for participation
  4. Bounty payment policies
  5. Your confidentiality obligations
  6. Microsoft’s privacy statement and legal notice
  7. Other questions on the various Microsoft bounty programs
  8. Coordinated Vulnerability Disclosure

Thank you for participating in the Microsoft Bug Bounty Program!

MSRC Blog

SRD Blog

Microsoft Office Insider Builds on Windows Bug Bounty Program Terms