Microsoft announced this week it will pay up to $20,000 for security vulnerabilities in its Defender products.
Microsoft launched its new Microsoft Defender Bounty Program with a focus on Defender products and services. The company will pay up to $20,000 for the vulnerabilities in its Defender products.
The bug bounty program starts with Defender for Endpoint APIs, but other products will be covered by the company program.
“The Microsoft Defender Bounty Program invites researchers across the globe to identify vulnerabilities in Defender products and services and share them with our team.” reads the announcement. “The Defender program will begin with a limited scope, focusing on Microsoft Defender for Endpoint APIs and will expand to include other products in the Defender brand over time. Qualified submissions are eligible for bounty rewards from $500 to $20,000 USD.”
Bug hunters can submit critical or important severity vulnerabilities that affect the latest, fully patched version of the product or service.
The IT giant will pay $20,000 for critical-severity remote code execution (RCE) vulnerabilities. The company is willing to pay up to $8,000 for critical elevation of privilege and information disclosure flaws. The company may offer up to $3,000 for spoofing and tampering vulnerabilities.
In-scope vulnerabilities include:
- Cross site scripting (XSS)
- Cross site request forgery (CSRF)
- Server side request forgery (SSRF)
- Cross-tenant data tampering or access
- Insecure direct object references
- Insecure deserialization
- Injection vulnerabilities
- Server-side code execution
- Significant security misconfiguration (when not caused by user)
- Using components with known vulnerabilities
- Requires full proof of concept (PoC) of exploitability. For example, simply identifying an out-of-date library would not qualify for an award.
White hat hackers can submit reports through the MSRC Researcher Portal indicating which high-impact scenario (if any) the report qualifies for and the attack vector for the vulnerability.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Microsoft Defender)