Security News > 2022 > April > Microsoft adds on-premises Exchange, SharePoint to bug bounty program
Microsoft has announced that Exchange, SharePoint, and Skype for Business on-premises are now part of the Applications and On-Premises Servers Bounty Program starting today.
With the expansion of this bug bounty program, security researchers who find and report vulnerabilities affecting on-premises servers are eligible for awards ranging from $500 up to $26,000.
"The Microsoft Applications and On-Premises Servers Bounty Program invites researchers across the globe to identify vulnerabilities in specific Microsoft applications and on-premise servers and share them with our team," the company says.
"The goal of the bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers using the latest version of the application," Microsoft further explained.
20% SHAREPOINT ONLY: Authenticated Server-Side Request Forgery allows an attacker to make authenticated server-side HTTP requests to arbitrary URL 20% Insecure deserialization of user-controllable data, leading to remote code execution on server 30% Arbitrary file write of user-controlled data on user-controlled location on the server.
20% Authentication bypass allows for unauthenticated exploitation which results in mass exploitation of vulnerabilities 20% Vulnerabilities within Exchange Emergency Mitigation Service 15%. More information about award amounts, in-scope apps and on-premise servers is available on the Applications and On-Premises Servers Bounty Program page.
News URL
Related news
- Microsoft fixes Outlook clients not syncing over Exchange ActiveSync (source)
- Google paid $10 million in bug bounty rewards last year (source)
- 17,000+ Microsoft Exchange servers in Germany are vulnerable to attack, BSI warns (source)
- Germany warns of 17K vulnerable Microsoft Exchange servers exposed online (source)
- CISA Warns: Hackers Actively Attacking Microsoft SharePoint Vulnerability (source)
- CISA tags Microsoft SharePoint RCE bug as actively exploited (source)
- These 17,000 unpatched Microsoft Exchange servers are a ticking time bomb (source)
- Patch actively exploited Microsoft SharePoint bug, CISA orders federal agencies (CVE-2023-24955) (source)
- Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online (source)
- Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online (source)