Skip to main content

Online Services Bug Bounty Terms

PROGRAM DESCRIPTION

In September 2014 we launched the first phase of the Microsoft Online Services Bug Bounty program, and expanded the program in April 2015 to include various Azure and additional O365 properties. Through this initiative, individuals across the globe have had the opportunity to earn a bounty on submitted vulnerabilities for participating Online Services provided by Microsoft.

On August 5, 2015, the program will again expand to include Microsoft Account. Qualified submissions are eligible for a minimum payment of $500 USD up to a maximum of $15,000 USD. Bounties will be paid out at Microsoft’s discretion based on the impact of the vulnerability.

WHAT ARE THE RULES GOVERNING THE TESTING OF BOUNTY-ELIGIBLE MICROSOFT ONLINE SERVICES?

The following activities are prohibited:

  • Any kind of Denial of Service testing.
  • Performing automated testing of services that generates significant amounts of traffic.
  • Gaining access to any data that is not wholly your own. For example, you are allowed to and encouraged to create a small number of test accounts and/or trial tenants for the purpose of demonstrating and proving cross-account or cross-tenant data access. However, it is prohibited to use one of these accounts to access the data of a legitimate customer or account.
  • Moving beyond “proof of concept” repro steps for server-side execution issues (i.e. proving that you have sysadmin access with SQLi is acceptable, running xp_cmdshell is not).
  • Attempting phishing or other social engineering attacks against our employees. The scope of this program is limited to technical vulnerabilities in the specified Microsoft Online Services.
  • Using our services in a way that violates the terms for that service.

Even with these prohibitions, Microsoft reserves the right to respond to any actions on its networks that appear to be malicious.

WHAT CONSTITUTES AN ELIGIBLE SUBMISSION FOR O365, MICROSOFT AZURE, AND MICROSOFT ACCOUNT?

Generally, bounties will be paid for significant web application vulnerabilities found in eligible online service domains. Additionally, in order for submissions to be processed as quickly as possible and to ensure the highest payment for the type of vulnerability being reported, submissions should include concise repro steps that are easily understood.

Eligible submissions will include vulnerabilities of the following types:

  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Unauthorized cross-tenant data tampering or access (for multi-tenant services)
  • Insecure direct object references
  • Injection Vulnerabilities
  • Authentication Vulnerabilities
  • Server-side Code Execution
  • Privilege Escalation
  • Significant Security Misconfiguration (when not caused by user)

Microsoft reserves the right to reject any submission at our sole discretion that we determine does not meet the above criteria.

Testing for vulnerabilities should only be performed on tenants in subscriptions/accounts owned by the program participant. In the list below, <Tenant> refers to a tenant in a subscription that you own – do not run tests against any other tenants.

Only the following domains are eligible for bug bounty payments and allow for testing as described in these terms:

  • *.onedrive.live.com
  • *.onedrive.com
  • login.windows.net
  • login.microsoftonline.com
  • login.live.com
  • portal.azure.com
  • manage.windowsazure.com
  • account.windowsazure.com
  • blog.azure.com
  • portal.office.com
  • outlook.office365.com
  • outlook.office.com
  • *.outlook.com
  • *.sharepoint.com (excluding user-generated content)
  • *.lync.com
  • *.officeapps.live.com
  • www.yammer.com
  • *.sway.com

Additional eligible endpoints:

  • *.storage.live.com
  • *.skyapi.live.net
  • *.apis.live.net
  • *.settings.live.net
  • *.policies.live.net
  • api.yammer.com
  • management.azure.com
  • management.core.windows.net
  • graph.windows.net
  • passwordreset.microsoftonline.com
  • tip.passwordreset.microsoftonline.com
  • account.activedirectory.windowsazure.com
  • syncfabric.windowsazure.com
  • provisioningapi.microsoftonline.com
  • enterpriseregistration.windows.net
  • adminwebservice.microsoftonline.com
  • credential.activedirectory.windowsazure.com
  • reportingservice.activedirectory.windowsazure.com
  • https://www.remoteapp.windowsazure.com
  • https://management.remoteapp.windowsazure.com
  • <Tenant>.scm.azurewebsites.net (excluding user-generated content)
  • <Tenant>.ftp.azurewebsites.net (excluding user-generated content)
  • <Tenant>.batch.core.windows.net (excluding user-generated content)
  • <Tenant>.batchapps.core.windows.net (excluding user-generated content)
  • <Tenant>.trafficmanager.net (excluding user-generated content)
  • <Tenant>.media.windows.net (excluding user-generated content)
  • <Tenant>.azure-mobile.net (excluding user-generated content)
  • <Tenant>.task.core.windows.net (excluding user-generated content)
  • <Tenant>.watask.core.windows.net (excluding user-generated content)
  • <Tenant>.workflow.windows.net (excluding user-generated content)
  • <Tenant>.biztalk.windows.net (excluding user-generated content)
  • <Tenant>.servicebus.windows.net (excluding user-generated content)
  • <Tenant>.vault.azure.net (excluding user-generated content)
  • <Tenant>.blob.core.windows.net (excluding user-generated content)
  • <Tenant>.table.core.windows.net (excluding user-generated content)
  • <Tenant>.queue.core.windows.net (excluding user-generated content)
  • <Tenant>.files.core.windows.net (excluding user-generated content)

Please check “WHOIS” records for all resolved IPs prior to testing in order to verify ownership by Microsoft. Some third parties host sites for Microsoft under subdomains owned by Microsoft, and these third parties are NOT in scope for this bug bounty program.

Microsoft reserves the right to reject any submission at our sole discretion that we determine does not meet the above criteria.

WHAT CONSTITUTES AN INELIGIBLE SUBMISSION FOR O365, MICROSOFT AZURE, AND MICROSOFT ACCOUNT?

The aim of the bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact to the security of our users and our users’ data. While we encourage any submissions that describe security vulnerabilities in our service, the following are examples of vulnerabilities that will not earn a bounty reward:

  • Vulnerabilities in Hyper-V such as virtual machine escapes or denial of service attacks. However, they may be eligible for a bounty through the Mitigation Bypass Bounty program
  • Vulnerabilities in user-created content or applications. For example in a *.sharepoint.com domain, if a tenant has publicly exposed their own html page with any kind of vulnerability (i.e. DOM-based XSS) this bug is not eligible for bounty, and will not be accepted as a vulnerability
  • Security misconfiguration of a service by a user, such as the enabling of HTTP access on a storage account to allow for man-in-the-middle (MiTM) attacks
  • Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
  • Server-side information disclosure such as IPs, server names and most stack traces
  • URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
  • ”Cross Site Scripting” bugs in SharePoint that require “Designer” or higher privileges in the target’s tenant
  • Low impact CSRF bugs (such as logoff)
  • Denial of Service issues
  • Cookie replay vulnerabilities
  • Vulnerabilities requiring unlikely user actions
  • Publicly-disclosed vulnerabilities which are already known to Microsoft and the wider security community
  • Vulnerabilities in third party software provided by Azure such as gallery images and ISV applications
  • Vulnerabilities in platform technologies that are not unique to the online services in question (for example, Apache or IIS vulnerabilities)
  • Vulnerabilities in the web application that only affect unsupported browsers and plugins
  • Vulnerabilities used to enumerate or confirm the existence of users or tenants

We reserve the right to reject any submission that we determine, in our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty.

HOW TO CREATE TRIAL ACCOUNTS FOR TESTING OF BOUNTY-ELIGIBLE O365, AZURE, AND MICROSOFT ACCOUNT SERVICES?

You must create test accounts and test tenants for security testing and probing.

For Office 365 services, you can set up your test account here.

For Azure services, you can start a free trial to use as your test account here.

For Microsoft Account, you can set up your test account here.

In all cases, where possible, include the string “MSOBB” in your account name and/or tenant name in order to identify it as being in use for the bug bounty program.

BOUNTY PROGRAM FREQUENTLY ASKED QUESTIONS AND PROGRAM REQUIREMENTS

It is your responsibility to comply with the Microsoft Bounty Program – Comprehensive Terms listed in the FAQ. Please see the Microsoft Bounty Program FAQ to get detailed instructions on:

  1. Reporting bugs to Microsoft
  2. Microsoft’s triage and payment process
  3. Eligibility criteria for participation
  4. Bounty payment policies
  5. Your confidentiality obligations
  6. Microsoft’s privacy statement and legal notice
  7. Other questions on the various Microsoft bounty programs

Thank you for participating in the Microsoft Bug Bounty Program!

MSRC Blog

SRD Blog