Researchers, cybersecurity geeks, or enthusiasts, gather around! Microsoft bug bounty program can’t be more lucrative than this.
Your objective, should you choose to accept it, is simple – Fix the vulnerabilities on sight in a new product that was introduced by one of the world’s most valuable publicly traded tech company some time back.
That is the new directive from none other than Microsoft.
In a new announcement coming from Microsoft’s corner, the company has launched a bug bounty rewards program to eliminate security flaws in Microsoft Teams’ desktop software.
The rewards, beginning from $5,000 right up to a maximum of $20,000, are based on scenario-respective slabs for weeding out vulnerabilities. The prize purse could also go higher if the quality of the submission is deemed to have a high enough impact on customer privacy and security by Microsoft.
A $30,000 reward can also be won by researchers, subject to the condition of clearly outlining a remote code execution bug using native code in the context of the current user with no user interaction.
In the same vein, the company’s reward slabs pan out with some interesting reward amounts where certain quality criteria are met paired with the efficacy of fixing the bug.
Taking note of some of the most prominent ones, there are some which stand out.
The Redmond-based tech giant has offered $15,000 for getting a bug that allows an attacker to obtain authentication credentials for other users, but phishing is excluded.
Then there is the offer of $10,000. This is available for cross-site scripting (XSS) flaws or other remote code injection that could allow an attacker to execute arbitrary scripts in the context of teams.microsoft.com or teams.live.com sans any user interaction.
The same amount could also be targeted by researchers, provided they find a way to elevate privileges. In such a manner that they hop over the Windows and user boundary.
If there are techies who can find an XSS or other “code injection resulting in ability to execute arbitrary scripts in the context of teams.microsoft.com or teams.live.com with minimal user interaction”, they become available to draw an amount of $6,000.
The thing to keep in mind is the fact that the bug bounty has only been made applicable for the Microsoft Teams desktop client at present (available for Windows 10, macOS, and Linux). Interested parties should keep in mind that the bounty does not apply to any of the Teams apps for desktop browsers or the native mobile apps for iOS and Android.
The rejoicing for experts is not restricted to just this, since Microsoft is also offering general bounty awards for the Teams desktop app that fall outside the scenario-based awards. Rewards in those cases are expected to climb up to $15,000.
As for Teams, the announcement is because of the product falling under the Online Services Bounty Program. It also underlines the importance that the product has gathered from Micorosft.
Boasting a 115 million daily active user base, clearly, Microsoft’s precedence to Teams is what has opened the doors for a bug bounty platform for one of their key services. Especially since it happens to cater to such a large business customer base.
Looking over to the rival space, the announcement is consistent with Zoom also choosing to revamp security by bringing Luta Security on board last year. The objective in both cases is the same – part of a long-term plan to improve the security of its service.
When it comes to Teams, Microsoft has constantly tried to introduce features to better the quality of this particular product. From adding breakout room timers, room retention, and participant reassignment features to deploying Slack-inspired titbits, it has been an ever upgrading spree to enhance user engagement.
Be that as it may, the announcement of the bounty program for Teams’ desktop client is one that bears more relevance to the news of a significant number of cyberattacks targeting Microsoft’s vulnerable Exchange servers.
The situation on that particular front is admittedly dire. There are widespread fears by analysts that the severity of these attacks could successfully compromise a Microsoft Exchange Server. In this scenario, the hackers not only gain access to sensitive information that’s quintessential to business operations, but could also leave a gaping hole for additional attacks – including ransomware campaigns.
Looking from Microsoft’s point of view, this is a product used by some of the most esteemed entities on the planet. 91 of the Fortune 100 companies use Microsoft Teams. In a pandemic hit world which brought home the concept of remote work, a study of US Teams users in 2020 found 29.71% of companies using Microsoft Teams for remote tasking during the COVID-19 pandemic.
Moreover, with close to 500,000 organizations making use of the product as of 2020, it only makes sense for Microsoft to take remedial steps. It is a good move to make the necessary arrangements to shore up the defences of a highly regarded product as Microsoft Teams.
Stay tuned for more updates.