Security News > 2022 > April > Microsoft adds on-premises Exchange, SharePoint to bug bounty program
Microsoft has announced that Exchange, SharePoint, and Skype for Business on-premises are now part of the Applications and On-Premises Servers Bounty Program starting today.
With the expansion of this bug bounty program, security researchers who find and report vulnerabilities affecting on-premises servers are eligible for awards ranging from $500 up to $26,000.
"The Microsoft Applications and On-Premises Servers Bounty Program invites researchers across the globe to identify vulnerabilities in specific Microsoft applications and on-premise servers and share them with our team," the company says.
"The goal of the bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers using the latest version of the application," Microsoft further explained.
20% SHAREPOINT ONLY: Authenticated Server-Side Request Forgery allows an attacker to make authenticated server-side HTTP requests to arbitrary URL 20% Insecure deserialization of user-controllable data, leading to remote code execution on server 30% Arbitrary file write of user-controlled data on user-controlled location on the server.
20% Authentication bypass allows for unauthenticated exploitation which results in mass exploitation of vulnerabilities 20% Vulnerabilities within Exchange Emergency Mitigation Service 15%. More information about award amounts, in-scope apps and on-premise servers is available on the Applications and On-Premises Servers Bounty Program page.
News URL
Related news
- Microsoft 365 outage impacts Exchange Online, Teams, Sharepoint (source)
- Microsoft SharePoint RCE bug exploited to breach corporate network (source)
- Microsoft Exchange adds warning to emails abusing spoofing flaw (source)
- Microsoft pulls Exchange security updates over mail delivery issues (source)
- Microsoft re-releases Exchange updates after fixing mail delivery (source)