Microsoft today announced it has expanded the scope of its bug bounty programs to encompass new products. Microsoft Azure and Office Sway have been added to the Online Services Bug Bounty Program, while Project Spartan, Internet Explorer’s successor in Windows 10, has gained its own bug bounty program.
Microsoft has also increased the maximum payout for the Online Services Bug Bounty Program. The company will now pay up to $15,000 USD for critical bugs — more impactful and better documented bugs will get you the most money.
The biggest addition is arguably Azure, since Microsoft’s cloud platform is the backbone for many Microsoft cloud services. The new program is quite broad: In addition to Azure itself, it includes Azure virtual machines, Azure Cloud Services, Azure Storage, Azure Active Directory, and so on.
“With the addition of Azure to the Microsoft Online Services Bug Bounty Program, customers now have the ability to perform targeted security vulnerability assessments of the Azure platform itself,” David Cross, Azure security engineering director, said in a blog post. “If issues are identified that meet the eligibility requirements, the finder can be rewarded for their work that helps makes Azure a more secure platform for all.”
Next up is Sway, which is technically still in preview but receives improvements on the regular (it got two updates this month alone). Adding the presentation application to its bug bounty programs shows Microsoft is very much committed to its new Office tool.
Speaking of preview, while Project Spartan is technically only available to Windows 10 testers, Microsoft is expecting it to be “the onramp to the Internet for millions of users when Windows 10 launches later this year.” As such, a bug bounty program well before Internet Explorer’s successor debuts makes a lot of sense.
Microsoft says the Project Spartan program, which also pays up to $15,000 USD for security vulnerabilities, will run for three months: until June 22, 2015. After that, we presume it will be folded into a broader program.
If you’re hoping to find security holes in Project Spartan, make sure you are using the latest Windows 10 Technical Preview. The program includes Remote Code Execution and Sandbox Escapes, as well as design-level security bugs; the official terms will be posted here.
Compared to some of its competitors, Microsoft was late to the bug bounty game. Since June 2013, however, the company has been rewarding security researchers for their hard work (up to $100,000 in some cases) in helping to improve its software and services.