What you need to know
- Microsoft has updated its bug bounty terms yet again.
- It now has a more specific pricing breakdown of what you can expect for high-impact bug finds.
- Maximum awards now have an (up to) 30% modifier.
Microsoft updated its bug bounty program not too long ago to add additional products to the lineup of those eligible for bounties. And now, the company's back to tinkering with its terms to more accurately express what you can expect from its program.
In order to get the most bug bucks, you're going to need to stumble across the following high-impact scenarios:
- Remote code execution through untrusted input (CWE-94 "Improper Control of Generation of Code ('Code Injection')") (+30% maximum award)
- Remote code execution through untrusted input (CWE-502 "Deserialization of Untrusted Data") (+30% maximum award)
- Unauthorized Cross-tenant and cross-identity sensitive data1 leakage (CWE-200 "Exposure of Sensitive Information to an Unauthorized Actor") (+20% maximum award)
- Unauthorized cross-identity sensitive data leakage (CWE-488 "Exposure of Data Element to Wrong Session") (+20% maximum award)
- "Confused deputy" vulnerabilities that can be used in a practical attack that accesses resources in a way that bypasses authentication (CWE-918 "Server-Side Request Forgery (SSRF)") (+15% maximum award)
You can see the full roundup of bug bounty changes over at Microsoft's page wherein there's an in-depth breakdown of the current products and services Redmond's willing to dole out cash over. Do note that many bugs, if they're only deemed "moderate" or "low" threats, will fetch you a whopping total of zero currency, so be sure the bugs you report are big and juicy enough to score a proper reward from Microsoft. And forget all about the criminals making millions via deliberate attempts to spite the company.
For news regarding the latest vulnerabilities to be exploited by Microsoft's enemies, check out Tarrask malware.
