Microsoft Office Insiders Can Now Participate In $15,000 Bug Bounty Program

Microsoft is rolling out another perk to subscribers of its Office Insider program. In addition to testing out new builds and having access to features that have not yet been released to the public, Microsoft is launching a bug bounty program for Office Insiders. Through the bug bounty program, Office Insiders can score anywhere from $500 all the way up to $15,000 for discovering vulnerabilities.

"The Microsoft Cloud and Online Services Bounty Program has helped us identify elusive vulnerabilities and provided a way to reward the individuals actively partnering with us to protect our customers. We want to continue incentivizing research around design and logic and reward deeper thought in important areas of Office," Microsoft said.

Office Insider

This is a temporary program that is in effect now and runs through June 15, 2017. Until that deadline, Office Insiders from around the world can receive monetary rewards for submitting security vulnerabilities found in Microsoft Office Insider slow builds. To qualify for a payout, Office Insiders must be running the latest, fully patched version of Windows.

Microsoft is offering some big bounties here. In some instances, Microsoft says it will even dole out more than $15,000. The biggest payouts apply to three different areas:
  • Elevation of privilege via Office Protected View sandbox escape (excludes vulnerabilities in components and libraries not installed by Office or AppContainer sandbox, that are applicable to any application using them).
  • Macro execution by bypassing security policies to block Office macros in Word, Excel, and PowerPoint.
  • Code execution by bypassing Outlook's automatic attachment block policies for a predefined set of extensions, listed below, that are by default blocked by Outlook.
Vulnerabilities that fall into one of the above categories are worth between $6,000 and $15,000. Those are some big time rewards, though they're no the highest amount Microsoft has ever offered. The Redmond outfit will pay up to $100,000 for "novel exploitation techniques against protections built into the latest version of the Windows operating system" and "defensive ideas that accompany a qualifying mitigation bypass submission."

Happy hunting!