Microsoft announced the addition of scenario-based bounty awards to the Dynamics 365 and Power Platform Bounty Program and M365 Bounty Program. With the new awards, Microsoft aims to encourage new researchers to focus their research on vulnerabilities that can have a severe impact on customer privacy and security.
Maximum award $20,000
Microsoft announced that for Dynamics 365 and Power Platform Bounty Program, the maximum award is $20,000 for cross-tenant information disclosure. Eligible submissions may also qualify for 15-30% bonuses. These bonuses are:
- Remote code execution through untrusted input (CWE-94 “Improper Control of Generation of Code (‘Code Injection’)”) +30%
- Remote code execution through untrusted input (CWE-502 “Deserialization of Untrusted Data”) +30%
- Unauthorized Cross-tenant and cross-identity sensitive data leakage (CWE-200 “Exposure of Sensitive Information to an Unauthorized Actor”) +20%
- Unauthorized cross-identity sensitive data leakage (CWE-488 “Exposure of Data Element to Wrong Session”) +20%
- “Confused deputy” vulnerabilities that can be used in a practical attack that accesses resources in a way that bypasses authentication (CWE-918 “Server-Side Request Forgery (SSRF)”) +15%
The new awards are part of Microsoft’s efforts to team up with the security research community as part of Microsoft’s holistic approach.