Microsoft 365 and Microsoft Teams have been among the major tech success stories of the past few years. The use of both has surged since the pandemic, and in response, Microsoft has rolled out updates, new features, and add-ons at breathtaking speed. But great speed often comes with ugly blotches: bugs. Microsoft has announced a bug-bounty program inviting users to find vulnerabilities in Microsoft Teams. Find some bugs and you’ll make Microsoft Teams better … and you a little wealthier.
At this point, the Microsoft Application Bounty Program applies only to the Microsoft Teams desktop client, which is arguably Microsoft’s hottest product. Microsoft says the list of apps “will continue to evolve over time.”
So, what’s in it for you? How about a grand prize of $30,000. That’s for finding a remote code execution that Microsoft describes as “native code in the context of the current user with no user interaction.” The biggest awards fall into finding a vulnerability in the category Microsoft labels “high-impact scenario.” You can see these in the chart below.
Scenario | Maximum Award |
---|---|
Remote code execution (native code in the context of the current user) with no user interaction | $30,000 |
Ability to obtain authentication credentials for other users (note: does not include phishing) | $15,000 |
XSS or other (remote) code injection resulting in ability to execute arbitrary scripts in the context of teams.microsoft.com or teams.live.com with no user interaction | $10,000 |
Elevation of privilege which traverses an operating system user boundary | $10,000 |
XSS or other (remote) code injection resulting in ability to execute arbitrary scripts in the context of teams.microsoft.com or teams.live.com with minimal user interaction | $6,000 |
Outside of the high-impact scenario, Microsoft is offering General Awards in several categories. The awards are based on the security impact, the report quality, and the severity of the vulnerability, as you can see in the chart below.
Security Impact | Report Quality | “Critical” Severity | “Important” Severity |
Remote Code Execution | High | $15,000 | $10,000 |
Medium | $10,000 | $8,000 | |
Low | $8,000 | $5,000 | |
Elevation of Privilege | High | $8,000 | $5,000 |
Medium | $4,000 | $2,000 | |
Low | $3,000 | $1,000 | |
Information Disclosure | High | $8,000 | $5,000 |
Medium | $4,000 | $2,000 | |
Low | $3,000 | $1,000 | |
Spoofing | High | N/A | $3,000 |
Medium | $1,200 | ||
Low | $500 | ||
Tampering | High | N/A | $3,000 |
Medium | $1,200 | ||
Low | $500 |
Bug-bounty programs from giant tech companies are not new and have proved to be successful in closing serious and embarrassing vulnerabilities. Ready to start swatting bugs in Microsoft Teams and fatten your wallet? For more information, head over to the Microsoft Application Bounty Program page.
Featured image: Shutterstock
Pingback: How to Fix the "We Ran Into a Problem" Error That Plagues Microsoft Teams – TechGenix | Public Press Partner