Microsoft: We’re boosting our bug bounties for these high-impact security flaws | ZDNet

By Naomi Gleit On Apr 19, 2022

Microsoft has announced new “scenario-based” awards for its Dynamics and Power Platform Bounty Program and the Microsoft 365 Bounty Program.

Microsoft says the scenario-based awards are designed to encourage researchers to focus their work on “vulnerabilities that have the highest potential impact on customer privacy and security”.

ZDNet Recommends

The best cloud storage services

Free and cheap personal and small business cloud storage services are everywhere. But, which one is best for you? Let’s look at the top cloud storage options.

The new scenario-based awards are on top of existing general awards for security bugs, such as remote code execution and elevation of privilege bugs in products – and amount to up to $26,000 on offer in new awards.

SEE: Windows 11 security: How to protect your home and small business PCs

The new scenario-based award for Dynamics 365 and Power Platform is a cross-tenant information disclosure bug, which carries a maximum award of $20,000. Microsoft has patched similar bugs to this affecting some Azure APIs and another similar cross-tenant information disclosure bug affecting the Azure Automation service in March.

Microsoft is also adding bonuses of between 15-30% on top of the general Microsoft 365 bounty for Office 365 products and Microsoft Account pages for Outlook, Teams, SharePoint Online, OneDrive, Skype, and more.

The Microsoft 365 bounty highest general award is $20,000 for a critical remote code execution flaw.

The new high-impact scenarios award a 30% bonus for remote code execution (RCE) through untrusted input (CWE-94 “Improper Control of Generation of Code” (‘Code Injection’)); and 30% for for RCE through untrusted input (CWE-502 “Deserialization of Untrusted Data”).

There are also 20% awards for unauthorized cross-tenant and cross-identity sensitive data leakage for both (CWE-200 “Exposure of Sensitive Information to an Unauthorized Actor”) and (CWE-488 “Exposure of Data Element to Wrong Session”).

Finally, there’s a 15% award for “Confused Deputy” vulnerabilities that can be used in a practical attack that accesses resources in a way that bypasses authentication (CWE-918 “Server-Side Request Forgery (SSRF)”).

Microsoft offered similar scenario-based awards for its Teams bug bounty last year on top of its general awards in that program. in December, it also added six scenario-based awards of up to $60,000 for high-impact bugs to its Azure bounty.

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.