Microsoft Expands Security Bug Bounty Program, Will Pay Researchers That Find Flaws In Office 365 Cloud Apps
Microsoft, which launched its first-ever "bug bounty" programs for on-premise software last June, said Tuesday it will pay security researchers that find certain types of serious vulnerabilities in its Office 365 suite of cloud services.
Microsoft has its own security team that does lots of internal and external testing to ensure Office 365 apps are secure, and this starts from the earliest stages of developing the software. But Microsoft reckons it can't hurt to have more eyes looking for vulnerabilities in Office 365, which is why it's launching the Office 365 bug bounty program.
"We work hard to develop secure software and defend our services from breaches, but we recognize that security is a journey and not a destination, and we are always looking for ways to move faster," Travis Rhodes, Microsoft's senior security lead for Office 365, said in a blog post Tuesday.
[Related: Microsoft Explains Why It Changed Its Mind About Bug Bounty Programs]
Office 365 apps are the first cloud products Microsoft is adding to its bug bounty program, and Microsoft plans to include others in the future, Rhodes said in the blog post.
The types of vulnerabilities Microsoft will pay bounties for include cross-site scripting, injection flaws, authentication flaws and server-side code execution flaws, according to Microsoft's terms and conditions for the bug bounty program.
Researchers will receive a minimum bounty of $500 for each qualified vulnerability they submit, but the amount could be more if Microsoft deems it a high-impact flaw.
Jerod Powell, co-founder and CEO of San Jose, Calif.-based Microsoft partner InfinIT Consulting, said the Office 365 bug bounty program will make the product better and more secure.
"They could hide like a lot of companies do but instead they are being proactive with this," Powell said. "I also think it solidifies their commitment to 'Cloud First, Mobile First' -- they have to practice what they preach."
Peter Bybee, president and CEO of San Diego, Calif.-based Security On-Demand, a managed security services provider, said researchers have not been focusing as much on finding vulnerabilities in cloud services as on-premise software.
"We're just now cracking this thing open. Most exploits are still custom malware-type threats, the stuff we're seeing in the world that has been hammering the retail organizations," Bybee said.
Heartbleed was the last major systemic vulnerability to affect cloud providers, but there are almost surely others looming on the horizon, Bybee said.
"I don't think there's any doubt that they're sitting there waiting to happen, which is why researchers need to be more focused on cloud services," Bybee said.
Andrew Plato, president of Anitian Enterprise Security of Beaverton, Ore., thinks Microsoft has the right idea in crowdsourcing its bug bounty program and expanding it to cloud services.
"It's much better to have amateur hackers looking for flaws and reporting them to Microsoft than putting them on the hacker forums," Plato said.
Microsoft for years refused to follow the lead of other software vendors by paying researchers for submitting bugs, but the rise of the black market for exploits prompted a change of heart.
Microsoft launched its first three bug bounty programs last June, offering researchers up to $150,000 in cash for finding previously unknown flaws in Windows 8 and Internet Explorer 11.
PUBLISHED SEPT. 23, 2014