Security News > 2022 > April > Microsoft adds on-premises Exchange, SharePoint to bug bounty program

Microsoft has announced that Exchange, SharePoint, and Skype for Business on-premises are now part of the Applications and On-Premises Servers Bounty Program starting today.

With the expansion of this bug bounty program, security researchers who find and report vulnerabilities affecting on-premises servers are eligible for awards ranging from $500 up to $26,000.

"The Microsoft Applications and On-Premises Servers Bounty Program invites researchers across the globe to identify vulnerabilities in specific Microsoft applications and on-premise servers and share them with our team," the company says.

"The goal of the bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers using the latest version of the application," Microsoft further explained.

20% SHAREPOINT ONLY: Authenticated Server-Side Request Forgery allows an attacker to make authenticated server-side HTTP requests to arbitrary URL 20% Insecure deserialization of user-controllable data, leading to remote code execution on server 30% Arbitrary file write of user-controlled data on user-controlled location on the server.

20% Authentication bypass allows for unauthenticated exploitation which results in mass exploitation of vulnerabilities 20% Vulnerabilities within Exchange Emergency Mitigation Service 15%. More information about award amounts, in-scope apps and on-premise servers is available on the Applications and On-Premises Servers Bounty Program page.

News URL

https://www.bleepingcomputer.com/news/security/microsoft-adds-on-premises-exchange-sharepoint-to-bug-bounty-program/