Microsoft introduced on Tuesday that it’s keen to pay as much as $20,000 for vulnerabilities reported as a part of a brand new bug bounty program for Defender merchandise.
The brand new Microsoft Defender Bounty Program kicks off with Defender for Endpoint APIs, however the tech big says different merchandise within the Defender model shall be added in time.
“The Microsoft Defender Bounty Program invitations researchers throughout the globe to determine vulnerabilities in Defender services and share them with our crew,” the corporate says.
Collaborating researchers might earn between $500 and $20,000 for the recognized flaws, relying on influence and report high quality.
The very best rewards, Microsoft says, could also be awarded for critical-severity distant code execution (RCE) bugs. The corporate is keen at hand out as much as $8,000 for essential elevation of privilege and data disclosure points, and will provide as much as $3,000 for spoofing and tampering vulnerabilities.
To qualify for a bug bounty reward, researchers must report flaws which might be throughout the scope of this system, which haven’t been beforehand reported, and which may be reproduced on the most recent, totally patched model of the product.
In-scope vulnerabilities embrace cross-site scripting (XSS), cross-site request forgery (CSRF), server-side request forgery (SSRF), cross-tenant knowledge tampering or entry, insecure direct object references and insecure deserialization, injection, server-side code execution, and security misconfiguration points.
Stories protecting elements with identified vulnerabilities also needs to embrace proof-of-concept (PoC) exploit code, the tech big says.
The experiences should be clear and concise, and will embrace the knowledge crucial to breed the difficulty.
All experiences, Microsoft says, must be submitted by the MSRC Researcher Portal, point out which high-impact situation they qualify for, and will describe the assault vector for the bug.
“The Defender Bounty program’s scope is proscribed to technical vulnerabilities in Defender-related services. For those who uncover buyer knowledge whereas conducting your analysis, or are unclear whether it is protected to proceed, please cease and make contact with us,” the tech big notes.
Additional particulars on the Microsoft Defender Bounty Program may be discovered on the MSRC portal.
