There’s nothing like $30,000 to show that an app has made it to the big time.
Microsoft last week underscored the importance of Teams to its current and future strategic planning by inaugurating a new bug bounty program that will offer up to $30,000 — twice the maximum of any Office application — to security researchers for reporting previously-unknown vulnerabilities.
Out the gate, the new program, carrying the prosaic label “Microsoft Applications Bounty Program,” focused exclusively on the Teams desktop client. Other applications will be brought into the program, Microsoft said, though no timeline was given.
In an online document that detailed the new bug bounty program, Microsoft listed five specific scenarios — “high-impact,” the company said — that came with rewards from $6,000 to $30,000. The largest bounty was for vulnerabilities described as “remote code execution (native code in the context of the current user) with no user interaction.”
Flaws in Teams that led to an “ability to obtain authentication credentials for other users*(note: does not include phishing)” would rate a maximum of $15,000.
A rate sheet of general bugs — from remote code execution vulnerabilities to spoofing or tampering — was also included, with rewards ranging from $500 to $15,000, depending on the severity of the flaw, and the quality and thoroughness of the finder’s reporting.
In comparison, Microsoft’s bounties in its “Office Insider Builds on Windows” program max out at $15,000. The only other application for which Microsoft cuts bounty checks as large as $30,000 is its Edge browser. (Microsoft also listed $30,000 as the maximum for vulnerabilities in the Windows Defender Application Guard, which isn’t an app per se, but a security feature within Windows.)
One can get a broad idea of the importance Microsoft places on the various parts of its software ecosystem by eyeing the rate sheets for its numerous bounty programs. While the new Teams rewards are top-tier for an application, they’re dwarfed by the $100,000 maximums for Windows and its identity services.
A complete list of all Microsoft’s bounty programs can be found here.