![[-]](https://www.aiowares.com/images/collapse.png "[-]")
Microsoft last week underscored the importance of Teams to its current and future strategic planning by inaugurating a new bug bounty program that will offer up to $30,000 — twice the maximum of any Office application — to security researchers for reporting previously-unknown vulnerabilities.
Out the gate, the new program, carrying the prosaic label "Microsoft Applications Bounty Program," focused exclusively on the Teams desktop client. Other applications will be brought into the program, Microsoft said, though no timeline was given.
In an online document that detailed the new bug bounty program, Microsoft listed five specific scenarios — "high-impact," the company said — that came with rewards from $6,000 to $30,000. The largest bounty was for vulnerabilities described as "remote code execution (native code in the context of the current user) with no user interaction."
Flaws in Teams that led to an "ability to obtain authentication credentials for other users*(note: does not include phishing)" would rate a maximum of $15,000.
A rate sheet of general bugs — from remote code execution vulnerabilities to spoofing or tampering — was also included, with rewards ranging from $500 to $15,000, depending on the severity of the flaw, and the quality and thoroughness of the finder's reporting.
In comparison, Microsoft's bounties in its "Office Insider Builds on Windows" program max out at $15,000. The only other application for which Microsoft cuts bounty checks as large as $30,000 is its Edge browser.
(Microsoft also listed $30,000 as the maximum for vulnerabilities in the Windows Defender Application Guard, which isn't an app per se, but a security feature within Windows.)
Out the gate, the new program, carrying the prosaic label "Microsoft Applications Bounty Program," focused exclusively on the Teams desktop client. Other applications will be brought into the program, Microsoft said, though no timeline was given.
In an online document that detailed the new bug bounty program, Microsoft listed five specific scenarios — "high-impact," the company said — that came with rewards from $6,000 to $30,000. The largest bounty was for vulnerabilities described as "remote code execution (native code in the context of the current user) with no user interaction."
Flaws in Teams that led to an "ability to obtain authentication credentials for other users*(note: does not include phishing)" would rate a maximum of $15,000.
A rate sheet of general bugs — from remote code execution vulnerabilities to spoofing or tampering — was also included, with rewards ranging from $500 to $15,000, depending on the severity of the flaw, and the quality and thoroughness of the finder's reporting.
In comparison, Microsoft's bounties in its "Office Insider Builds on Windows" program max out at $15,000. The only other application for which Microsoft cuts bounty checks as large as $30,000 is its Edge browser.
Code:
https://www.microsoft.com/en-us/msrc/bounty-office-insider
https://www.microsoft.com/en-us/msrc/bounty-new-edge(Microsoft also listed $30,000 as the maximum for vulnerabilities in the Windows Defender Application Guard, which isn't an app per se, but a security feature within Windows.)
Code:
https://www.microsoft.com/en-us/msrc/bounty-windows-defender-application-guard
