November 22, 2023 at 09:06AM
Microsoft has launched a new bug bounty program called the Microsoft Defender Bounty Program. The program invites researchers to find vulnerabilities in Defender products and services and earn rewards ranging from $500 to $20,000. The highest rewards are given for critical-severity remote code execution bugs. Researchers must report flaws within the program’s scope and provide proof-of-concept exploit code. More details can be found on the MSRC portal.
Key Takeaways from Meeting Notes:
1. Microsoft has introduced a new bug bounty program called the Microsoft Defender Bounty Program.
2. The program is aimed at identifying vulnerabilities in Microsoft Defender products and services.
3. Researchers who participate in the program can earn between $500 and $20,000, depending on the impact and quality of their reports.
4. The highest rewards are offered for critical-severity remote code execution (RCE) bugs.
5. Other types of vulnerabilities, such as elevation of privilege, information disclosure, spoofing, and tampering, are also eligible for rewards.
6. To qualify for a bug bounty, researchers must report flaws that are within the program’s scope, haven’t been previously reported, and can be reproduced on the latest patched version of the product.
7. In-scope vulnerabilities include XSS, CSRF, SSRF, cross-tenant data tampering or access, insecure direct object references, insecure deserialization, injection, server-side code execution, and security misconfiguration issues.
8. Reports on components with known vulnerabilities should include proof-of-concept exploit code.
9. Reports need to be clear, concise, and include all necessary information to reproduce the issue.
10. Researchers should submit reports through the MSRC Researcher Portal, indicating the high-impact scenario they qualify for and describing the attack vector.
11. The scope of the program is limited to technical vulnerabilities in Defender-related products and services.
12. If researchers come across customer data during their research, they should stop and contact Microsoft.
13. More details about the Microsoft Defender Bounty Program can be found on the MSRC portal.
14. Microsoft has a history of successful bug bounty programs, having paid out millions of dollars in rewards over the years.