Microsoft today announced another Bug Bounty Program, and this time it’s for Office Insiders that are using the desktop Windows apps. The Program will last for three months – similar to the one that it did for Project Spartan (now Microsoft Edge) back in April 2015 – and will end on June 15.
There are three types of vulnerabilities that Microsoft is looking for. As we know, untrusted Office documents open in Protected View, so anything that could elevate privileges while in that mode would be eligible. Another one is being able to bypass security policies that block macros from executing, and the last vulnerability that the firm is looking for is the ability to bypass Outlook’s automatic attachment block policies.
There are also a number of things that would disqualify your submission:
- Vulnerabilities in anything earlier than the current Office Insider slow build on Windows Desktop
- Vulnerabilities in user-generated content
- Vulnerabilities requiring extensive or unlikely user actions
- Vulnerabilities found by disabling existing security features
- Vulnerabilities in components not installed by Office
- Vulnerabilities in third party components that might be installed on the system that enable the vulnerability
- Vulnerabilities about escaping Protected View where Protected View is explicitly not activated in Office code or enabled by default for the reported scenario.
- Vulnerabilities in the Application container
- Any other category of vulnerability that Microsoft determines to be ineligible, in its sole discretion.
Payouts can be up to $15,000, but it varies and can be as little as $500. Elevation of privilege in Protected Mode can be between $9,000 and $15,000, depending on the report quality. Macro execution pays out the same, but bypassing the security features in Outlook pays between $6,000 and $9,000.
There’s also some fine print. If multiple users submit the same report, the first person to submit it gets the bounty; however, if someone else provides information on the same exploit that adds value, that person may receive some money as well. Finally, if you submit a report on an issue that is internally known and actively being worked on, you can get up to $1,500.