Please include the requested information listed below as much as you can provide to help us better understand the nature and scope of the possible issue.
Type of issue buffer overflow, SQL injection, cross-site scripting, etc. Product and version that contains the bug, or URL if for an online service Service packs, security updates, or other updates for the product you have installed Any special configuration required to reproduce the issue Step-by-step instructions to reproduce the issue on a fresh install Proof-of-concept or exploit code Impact of the issue, including how an attacker could exploit the issue This information will help us triage the report more quickly.
If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our Microsoft Bug Bounty page for more details about our active programs. You should receive a response from our team within 24 hours.
Investigate and take action according to our published servicing criteria. Publicly acknowledge your contribution to protecting the ecosystem when we release a fix. Microsoft follows Coordinated Vulnerability Disclosure CVD and, to protect the ecosystem, we request that those reporting to us do the same. If your Outlook. Visit the Windows Support site to learn how to handle forgotten passwords and other sign-in problems.
If your computer is showing symptoms of spyware, viruses, or other unwanted softwareyou should first let your antivirus software scan your computer and try to fix the problem. You should also ensure that your computer has all the latest security updates from Microsoft Updateand that you are getting security updates automatically. If you continue to have trouble, you can find additional support options by visiting the Virus and Security Solution Center.
To find the appropriate support information for your location, visit Microsoft Product Support Services. See the Forums home page on TechNet to browse questions and answers, or ask your own question. Cybercriminals often use phishing email messages to try to steal personal information.
Learn how to recognize what a phishing email message looks like and how to avoid scams that use the Microsoft name fraudulently. Please send e-mail to piracy microsoft. Please send your virus, worm, or trojan horse submission to avsubmit submit. Send your spyware or other malware submission to windefend submit. Please visit the Microsoft Support page for more information. Report an issue and submission guidelines Frequently Asked Questions.Microsoft strongly believes close partnerships with researchers make customers more secure.
Security researchers play an integral role in the ecosystem by discovering vulnerabilities missed in the software development process. Each year we partner together to better protect billions of customers worldwide. If you are a security researcher that has found a vulnerability in a Microsoft product, service, or device we want to hear from you. If your vulnerability report affects a product or service that is within scope of one of our bounty programs below, you may receive a bounty award according to the program descriptions.
Even if it is not covered under an existing bounty program, we will publicly acknowledge your contributions when we fix the vulnerability. Click here to submit a security vulnerability. The Microsoft Bug Bounty Programs are subject to the legal terms and conditions outlined hereand our bounty Safe Harbor policy. Follow co-ord vulnerability disclosure.
Microsoft Azure. Microsoft Online Services. Microsoft Azure DevOps Services. Microsoft Dynamics Vulnerablility reports on applicable Microsoft Dynamics applications. Critical remote code execution, information disclosure and denial of services vulnerabilities in Hyper-V.
Microsoft Windows Insider Preview. Windows Defender Application Guard. Microsoft Edge Chromium-based. Office Insider. Vulnerabilities in ElectionGuard. Mitigation Bypass and Bounty for Defense. Novel exploitation techniques against protections built into the latest version of the Windows operating system. Additionally, defensive ideas that accompany a Mitigation Bypass submission. Grant: Microsoft Identity. We have pulled together additional resources to help you understand our bounty program offerings and even help you get started on the path or to higher payouts.
We truly view this as a collaborative partnership with the security community. Frequently Asked Questions. Example of High Quality Reports. Microsoft Bounty Legal Safe Harbor. Windows Security Servicing Criteria.
Directory of Azure Services. Microsoft Documentation for end users, developers, and IT professionals. Bugcrowd University. Some submission types are generally not eligible for Microsoft bounty awards. Please refer to our bounty programs for additional information on eligible submission, vulnerability, or attack methods. Microsoft Bug Bounty Program.
We want to award you. We are looking for new.Individuals across the globe can receive monetary rewards for submitting security vulnerabilities found in Microsoft Office Insider slow build shipping on the latest, fully patched version of Windows. Office Insider preview updates are delivered to customers in different rings.
For the bounty program, we request you submit bugs on the Office Insider Preview slow ring. The Microsoft Bug Bounty program is looking to reward high quality submissions that reflect the research that you put into your discovery.
The goal of your report is to share your knowledge and expertise with Microsoft developers and engineers so that they can quickly and efficiently understand and reproduce your finding. This way, they have the background and context to fix the vulnerability. Vulnerability submissions provided to Microsoft must meet the following criteria to be eligible for payment:. If we receive multiple eligible bug reports for the same issue from different external parties, the bounty may be granted to the first eligible submission we receive based on the criteria mentioned above.
If a duplicate report provides us new information that adds value to the vulnerability investigation, we may award a differential to the duplicate submission.
Vulnerability Impact. Elevation of privilege via Office Protected View sandbox escape excludes vulnerabilities in components and libraries not installed by Office or AppContainer sandbox, that are applicable to any application using them. Macro execution by bypassing security policies to block Office macros in Word, Excel, and PowerPoint.
To help keep users safe, Office uses Protected View to open untrusted documents. We are looking for researchers to send us information on Office based techniques to escape the sandbox and other privilege escalations. By default, the macro security policies block execution of macros without user interaction. In this bounty program, we are encouraging researchers to send us information about vulnerabilities that would allow automatic macro execution in Microsoft Word, Excel and PowerPoint without additional user interaction in the default configuration and without trusting the document.
Several file extensions are currently blocked as attachments in Outlook. For more information on blocked attachments in Outlook, please check here. While we encourage any submissions that describe security vulnerabilities in our browsers, the following are examples of vulnerabilities that will not earn a bounty reward under this program:. Any other category of vulnerability that Microsoft determines to be ineligible, in its sole discretion. We reserve the right to reject any submission that we determine, in our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty.
To get additional information on the Microsoft legal guidelines please go here. December 7, Updated duplicate report policy and added revision history.Microsoft continues to invest heavily in the security and privacy of both our consumer Microsoft Account and enterprise Azure Active Directory identity solutions. We have focused on the creation, implementation, and improvement of identity-related specifications that foster strong authentication, secure sign-on, sessions, API security, and other critical infrastructure tasks, as part of the community of standards experts within official standards bodies such as IETF, W3C, or the OpenID Foundation.
The Microsoft Identity Bounty Program invites researchers across the globe to identify vulnerabilities in identity products and services and share them with our team. In conjunction with our collabortion with the OpenID standards community our bounty includes certified implementations of select OpenID standards.
Vulnerability submissions must meet the following criteria to be eligible for bounty award:. Microsoft products and services Certified Implementations listed here. Standards professionals with contributions or affiliations to identity standards working groups are not eligible to receive standards-related bounties.
Independent security research is an important component to overall confidence in the security of products and services. As part of that research, the community must also be aware that these services are live and running in a production environment for the continual use of customers.
We ask that security researchers make a good faith effort to:.Microsoft offers $250,000 to identify Meltdown, Spectre-like chip bugs
To further help security researchers understand the bounds of research within our services, the following methods are prohibited:. The Microsoft Bug Bounty Programs are subject to the legal terms and conditions outlined hereand to our bounty Safe Harbor policy. Have questions? Microsoft Identity Bounty Program. The impact of the vulnerability Attack vector if not obvious. Security Impact. High Medium Low. Spoofing e. Information Disclosure e.
Sensitive Data Exposure. Standards-based implementation vulnerabilities S ome limitations apply, see Out of Scope section below. You must create test accounts and test tenants for security testing and probing. For Azure services, you can start a free trial to use as your test account here. We request you follow Coordinated Vulnerability Disclosure when reporting all vulnerabilities. We will exercise reasonable efforts to clarify indecipherable or incomplete submissions.
We ask that security researchers make a good faith effort to: Avoid privacy violations, destruction of data, and interruption or degradation of our service during your research.Microsoft is not responsible for submissions that we do not receive for any reason.
Microsoft will exercise reasonable efforts to clarify indecipherable or incomplete submissions, but more complete submissions are often eligible for higher bounties see program rate tables for details. There are no restrictions on the number of qualified submissions an individual submitter can provide and potentially be paid bounty for.
Microsoft Bounty Program
Our engineers will review the submission, including reproducting the vulnerabilty and assesing the security impact. After your submission has been validated, if it is eligible for a bounty award we will contact you share the good news and begin the award payment process. You will complete registration with one of our award payment providers.
Once registration is complete you will receive your bounty award. Microsoft retains sole discretion in determining which submissions are qualified. If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first eligible submission. If a duplicate report provides new information that was previously unknown to Microsoft, we may award a differential to the person submitting the duplicate report.
The bounty programs represent the latest in our ongoing investment in working collaboratively with security researchers. Protecting customers is Microsoft's highest priority. We endeavor to address each vulnerability report in a timely manner. While we are doing that we require that bounty submissions remain confidential and cannot be disclosed to third parties or as part of paper reviews or conference submissions.
You can make available high-level descriptions of your research and non-reversible demonstrations after the Vulnerability is fixed.
We require that detailed proof-of-concept exploit code and details that would make attacks easier on customers be withheld for 30 days after the Vulnerability is fixed. Microsoft will notify you when the Vulnerability in your submission is fixed. This includes blog posts, public presentations, whitepapers and other media.
To give people time to update, we generally recommend waiting for at least 30 days after your submission has been fixed by Microsoft before discussing it publicly. We will award you the bounty for the vulnerability reported. If you are submitting your own mitigation bypass idea that you invented, then you do not need to pre-register. Simply send it to secure microsoft.
If you are submitting a mitigation bypass technique that you found in use in the wild, then you will need to pre-register before you submit. Email bounty microsoft.
Please see complete program terms here. If you have a defensive technique and corresponding exploits to prove the technique works, you will be eligible for this program. Microsoft will continue to manage our Bounty Programs independently from the HackerOne and Bugcrowd platforms.
Awards through our corporate system will be processed monthly. This page answers frequently asked questions about the Microsoft Bounty Program.Keep in touch and stay productive with Teams and Officeeven when you're working remotely. Learn how to collaborate with Office Tech support scams are an industry-wide issue where scammers trick you into paying for unnecessary technical support services. You can help protect yourself from scammers by verifying that the contact is a Microsoft Agent or Microsoft Employee and that the phone number is an official Microsoft global customer service number.
Did this solve your problem? Yes No. Sorry this didn't help. April 14, Keep in touch and stay productive with Teams and Officeeven when you're working remotely. Site Feedback. Tell us about your experience with our site. HintOfLime Created on November 7, Just curious, I'd imagine it depends on the bug and what problems it can lead to.
This thread is locked. You can follow the question or vote as helpful, but you cannot reply to this thread. I have the same question 0. Aravinda Arachige Replied on December 21, Volunteer Moderator. I dont feel they are going to pay u for reporting bugs, but you are helping fellow people in the community Thanks for marking this as the answer.
How satisfied are you with this reply? Thanks for your feedback, it helps us improve the site. How satisfied are you with this response? Frederik Long Replied on December 21, The bug I may have found involves Xbox live, and it also involves a computer. This site in other languages x.Microsoft may award more depending on the quality and complexity of the submission. The Microsoft Bug Bounty program rewards high quality submissions that reflect the research that you put into your discovery.
The goal of your report is to share your knowledge and expertise with Microsoft developers and engineers so that they can quickly and efficiently understand and reproduce your finding. This way, they have the background and context to fix the vulnerability. Here are some of the common low-severity or out of scope issues that typically do not earn bounty rewards:.
Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgment if their submission leads to a vulnerability fix.
A high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write up or video containing any required background information, a description of the bug, and an attached proof of concept PoC. Sample high- and low-quality reports are available here. We recognize that some issues are extremely difficult to reproduce and understand, and this will be considered when adjudicating the quality of a submission.
We will exercise reasonable efforts to clarify indecipherable or incomplete submissions.
For more information on the Windows Insider Preview platform, see the following references:. Vulnerability submissions must meet the following criteria to be eligible for bounty award: Identify a previously unreported Critical or Important vulnerability that reproduces in WIP fast.
Affect a feature that is both serviced and eligible for bounty according to the Windows Security Servicing Criteria.
Find a Bug in Windows 10, Get Up to $100,000 Microsoft Bug Bounty
Include clear, concise, and reproducible steps, either in writing or in video format. Provide our engineers the information necessary to quickly reproduce, understand, and fix the issue. This supports the highest award for the type of vulnerability being reported. Include the impact of the vulnerability e. Include an attack vector if not obvious.
For example, Vulnerabilities in Windows Store, Windows Apps, firmware, third party drivers, or third-party software in Windows. Publicly-disclosed vulnerabilities which are already known to Microsoft and the wider security community. Vulnerabilities requiring extensive or unlikely user actions.
Vulnerabilities that rely on default security settings being downgraded or the system to use uncommon configuration. Have questions? We're always available at secure microsoft. Added temporary Windows sandbox escape scope and increased award levels. October 3, Removed Defender AV sandbox escape bounty bonus.