M365 Bounty Program

RULES OF ENGAGEMENT FOR TESTING BOUNTY-ELIGIBLE M365 SERVICES

The M365 Bounty Program scope is limited to technical vulnerabilities in online M365 products and services. If you discover customer data while conducting your research, or are unclear if it is safe to proceed, please stop and contact us at bounty@microsoft.com. The following are not permitted: 

• Gaining access to any data that is not wholly your own.   
  • For example, you are allowed and encouraged to create a small number of test accounts and/or trial tenants for the purpose of demonstrating and proving cross-account or cross-tenant data access. However, it is prohibited to use one of these accounts to access the data that is not your own.   
• Moving beyond “proof of concept” repro steps for server-side execution issues  
  • For example, proving that you have sysadmin access with SQLi is acceptable, running xp_cmdshell is not).   
• Any kind of Denial of Service testing.  
• Performing automated testing of services that generates significant amounts of traffic.   
• Attempting phishing or other social engineering attacks against others, including our employees. The scope of this program is limited to technical vulnerabilities in the specified Microsoft Online Services.   
• Using our services in a way that violates the terms for that service.   

Even with these prohibitions, Microsoft reserves the right to respond to any actions on its networks that appear to be malicious.  

IN SCOPE VULNERABILITIES 

The following are examples of vulnerabilities that may lead to one or more of the above security impacts: 

• Cross site scripting (XSS) 
• Cross site request forgery (CSRF) 
• Cross-tenant data tampering or access 
• Insecure direct object references 
• Insecure deserialization 
• Injection vulnerabilities 
• Server-side code execution 
• Significant security misconfiguration (when not caused by user) 
• Using component with known vulnerabilities
  • Requires full proof of concept (PoC) of exploitability. For example, simply identifying an out of date library would not qualify for an award.

IN-SCOPE DOMAINS AND ENDPOINTS

• Security Center 
  • security.microsoft.com 
  • compliance.microsoft.com 
• Outlook 
  • outlook.office365.com 
  • outlook.office.com 
  • outlook.live.com 
  • outlook.com 
• Teams 
  • teams.microsoft.com 
  • teams.live.com 
  • join.microsoft.com 
• Lync 
  • lync.com 
• SharePoint Online 
  • sharepoint.com (excluding user-generated content) 
  • sharepointonline.com (excluding user-generated content) 
  • svc.ms 
• OneDrive 
  • onedrive.live.com 
  • onedrive.com 
  • 1drv.com (excluding user-generated content) 
  • livefilestore.com (excluding user-generated content) 
  • storage.live.com 
• Skype 
  • skype.com 
  • skyapi.live.net 
• Yammer 
  • yammer.com 
  • assets-yammer.com 
• Sway 
  • sway.com 
  • sway.office.com 
• Tasks 
  • tasks.office.com 
• Forms 
  • forms.office.com 
• Bing
  • Bing.com
• Other 
  • portal.office.com 
  • admin.microsoft.com 
  • www.office.com (subdomains are not in-scope unless otherwise listed) 
  • webshell.suite.office.com 
  • protection.office.com 
  • officeapps.live.com 
  • apis.live.net 
  • settings.live.net 
  • policies.live.net 

Only the following domains and endpoints are eligible for bug bounty awards. Subdomains of in-scope domain are also considered in-scope unless otherwise listed in the Out-of-Scope Submission and Vulnerabilities section of this bounty program. Testing for vulnerabilities should only be performed on tenants in subscriptions/accounts owned by the program participant.

Please check “WHOIS” records for all resolved IPs prior to testing to verify ownership by Microsoft. Some third parties host sites for Microsoft under subdomains owned by Microsoft, and these third parties are not in scope for this bug bounty program.

OUT OF SCOPE SUBMISSIONS AND VULNERABILITIES

Microsoft is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty reward. Here are some of the common low-severity or out of scope issues that typically do not earn bounty rewards: 

• Publicly-disclosed vulnerabilities which have already been reported to Microsoft or are already known to the wider security community
• Vulnerability patterns or categories for which Microsoft is actively investigating broad mitigations. As of June 2023, for example, these include, without limitation
  • Vulnerabilities that rely on Swagger API
  • Vulnerabilities that rely on Akamai ARL misconfiguration
  • Dependency Confusion Issues
• Out of Scope vulnerability types, including:
  • Server-side information disclosure such as IPs, server names and most stack traces
  • Low impact CSRF bugs (such as logoff)
  • Denial of Service issues
  • Dangling resource takeovers, for example sub-domain takeovers
  • Cookie replay vulnerabilities
  • URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
  • ”Cross Site Scripting” bugs in SharePoint that require “Designer” or higher privileges in the target’s tenant
• Out of Scope subdomains, including:
  • attachments.office.net
  • attachments.live.net
  • attachments.outlook.live.net
    • Out of Scope subdomains may be used to demonstrate vulnerabilities within domains or endpoints listed in the In-Scope Domains and Endpoints section of this bounty program
• Vulnerabilities that are addressed via product documentation updates, without change to product code or function
• Vulnerabilities based on user configuration or action, for example:
  • Vulnerabilities requiring extensive or unlikely user actions
  • Vulnerabilities in user-created content or applications.
    • For example in a *.sharepoint.com domain, if a tenant has publicly exposed their own html page with any kind of vulnerability (i.e. DOM-based XSS) this bug is not eligible for bounty, and will not be accepted as a vulnerability
  • Security misconfiguration of a service by a user, such as the enabling of HTTP access on a storage account to allow for man-in-the-middle (MiTM) attacks
  • Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
  • Vulnerabilities used to enumerate or confirm the existence of users or tenants
• Vulnerabilities based on third parties, for example:
  • Vulnerabilities in third party software provided by Azure such as gallery images and ISV applications
  • Vulnerabilities in platform technologies that are not unique to the online services in question (for example, Apache or IIS vulnerabilities)
• Vulnerabilities in the web application that only affect unsupported browsers and plugins
• Training, documentation, samples, and community forum sites related to Microsoft M365 products and services are not in scope for bounty
• Vulnerabilities requiring bypassing SafeLinks, a protection feature within Outlook
• Vulnerabilities found in Microsoft Partner portals, including partner.microsoft.com or aipartner.microsoft.com

We reserve the right to accept or reject any submission that we determine, in our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty. 

Am I eligible for bounty if I find a vulnerability while pentesting Microsoft Azure or M365?

It is your responsibility to comply with the Microsoft Cloud Unified Penetration Testing Rules of Engagement. To receive a bounty, an organization or individual must submit a report identifying a bounty eligible vulnerability to Microsoft using the MSRC submission portal and bug submission guidelines.

ADDITIONAL INFORMATION

For additional information, please see our FAQ.

• If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission. 
• If a duplicate report provides us new information that was previously unknown to Microsoft, we may award a differential to the duplicate submission.  
• If a submission is potentially eligible for multiple bounty programs, you will receive single highest payout award from a single bounty program.
• Microsoft reserves the right to reject any submission at our sole discretion that we determine does not meet these criteria.

Thank you for participating in the Microsoft Bug Bounty Program!

REVISION HISTORY

• September 2014: Program launched.
• April 2015: Program scope updated.
• August 2015: Program scope updated and bounty program name changed from Online Services to Cloud bounty program.
• July 17, 2018: identity related vulnerabilities moved into the Microsoft Identity Bounty Program. (https://www.microsoft.com/msrc/bounty-microsoft-identity)
• December 7, 2018: Updated program introduction, FAQ link, and added revision history section.
• January 17, 2019: Updated award ranges based on impact, severity, and report quality. Added in-scope summary.
• June 12, 2019: Added outlook.live.com to bounty scope.
• July 17, 2019: Added Skype.com and tasks.office.com to bounty scope
• August 5, 2019: Cloud Bounty Program separated into Online Services Bounty Program and Azure Bounty Program. Azure-related scope moved to Azure Bounty Program. Updated pentesting guidance.
• September 2, 2020:  Added "training, documentation, samples, and community forum sites" to the list of out of scope submissions. Combined "Bounty Awards" and "Additional Information" sections. 
• September 15, 2020: Added returned "forms.office.com" to bounty scope,  removed "azure.microsoft.com/en-us/blog"
• September 21, 2020: Removed "www.office.com" from bounty scope, removed "portal.azure.com" from this bounty scope. "portal.azure.com" is covered under the Azure Bounty Program. 
• January 11, 2021: Clarified that attachments.office.net, attachments.live.net, and attachments.outlook.live.net are not bounty eligible endpoints.
• January 28, 2021: Added to out of scope - vulnerabilities that rely on Swagger API.
• February 8, 2021: Updated list of “in-scope domains and endpoints”. Added admin.microsoft.com, www.office.com, webshell.suite.office.com, security.microsoft.com, compliance.microsoft.com, sharepointonline.com, livefilestore.com, 1drv.com, svc.ms, teams.live.com, assets-yammer.com to bounty scope. Removed msg.skype.com, asm.skype.com, and manage.windowsazure.com from bounty scope.
• July 7, 2021: Added to out of scope - vulnerabilities requiring bypassing SafeLinks.
• August 26, 2021: Added to out of scope - vulnerabilities that rely on Akamai ARL misconfiguration.
• September 14, 2021: Added to out of scope – vulnerabilities in Microsoft Partner portals, including partner.microsoft.com or aipartner.microsoft.com.
• February 24, 2022: Added clarification that vulnerabilities addressed via product documentation updates are out of scope.
• April 14, 2022: Added High Impact Scenarios and Updated In-Scope domains list.
• April 18, 2023: Added reference to the Microsoft Vulnerability Severity Classification for Online Services for the severity in eligible submissions. Updated bounty award table based on vulnerability type.
• April 27, 2023: Added bing.com to In-Scope Domains and Endpoints.
• June 1, 2023: Added Dependency Confusion Issues to Out-of-Scope.
• July 13, 2023: Added "Improper Input Validation" as a vulnerability type in the bounty award table.