Microsoft Extends Bug Bounty Program, Offering up to $15,000 in Rewards

Author Photo
Sep 18, 2017
10Shares
Submit

Microsoft has announced an extension to its Microsoft Office Bounty Program, which will now run until the end of this year, offering up to $15,000 for valid vulnerabilities. The Redmond software maker said in a blog post that the program was originally slated to end on June 15, but will continue to run.

“The engagement we have had with the security community has been great and we are looking to continue that collaboration on the Office Insider Builds on Windows,” Phillip Misner, Principal Security Group Manager, Microsoft Security Response Center, wrote on Friday. “This program represents a great chance to identify vulnerabilities prior to broad distribution.”

windows-kernel-bugRelatedMicrosoft Says No to Fixing a 17-Year-Old Programming Error in Windows Kernel That Could Dupe AV Programs

Microsoft Office bug bounty program extended

The latest news from Microsoft comes following Samsung’s announcement earlier this month. The South Korean tech giant launched a new bug bounty program, offering up to $200,000 for the unreported, critical security flaws.

Microsoft had announced its bug bounty program dedicated to Microsoft Office Insider on Windows with a minimum of $500 and a maximum financial reward of $15,000 for zero-day security flaws. However, the bug bounty payout for Office vulnerabilities is now between $6,000 and $15,000, which may indicate that several low-severity flaws may have been fixed and that the company is trying the security community to focus on more critical issues.

With this program, the company is seeking out for issues in the Office Insider Builds that offer users with early access to new Office features, capabilities and security innovations. “By testing against these early builds, issues can potentially be found prior to production release,” the blog post said. “This helps improve quality and protect customers” once the builds are out for the public.

Researchers are required to submit “an original and previously unreported vulnerability in the current Office Insider build on a fully patched Windows 10 desktop,” the company wrote in its blog post. “Submissions that can be reproduced on the previous build but not on the current aren’t considered eligible.”

windows-securityRelated[Update: Already Fixed!] Google Discovers “Crazy Bad” & “Wormable” RCE Flaw in Windows

If you are interested, you can report the Microsoft Office vulnerabilities to secure@microsoft.com but don’t forget to inform the company that you want your submission to be part of this program.

– More information on bug bounty terms and the kind of vulnerabilities accepted can be found here

Submit