Microsoft is launching a new Applications Bounty Program,and the first application they want researchers to find bugs is Microsoft Teams, the popular business communications platform.
About Microsoft Teams
Microsoft Teams provides workspace chat, VoIP, and video conferencing, file sharing through chats and meetings.
Like other video conferencing and communication solutions, Microsoft Teams got a significant boost with the arrival of the Covid-19 outbreak, fueled by the need of companies to stay in touch with their employees working from home. By March 2020, the service had 44 million daily users. Just a month later, it reached 75 million.
What should insect hunters pay attention to?
For now, only the Microsoft Teams desktop client for Windows, macOS, and Linux is within reach.
Microsoft is offering between $30,000 and $6,000 for information about vulnerabilities that can lead to the following scenarios:
- External code execution (native code in the context of the current user) without user interaction
- Ability to obtain authentication data (including authentication tokens) for other users (but not via phishing!)
- XSS or other (external) code injection resulting in the ability to execute random scripts in the context of teams.microsoft.com or teams.live.com without user interaction
- Increase privileges that exceed the user boundary of an operating system (including increase in privileges in the macOS updater)
- XSS or other (external) code injection resulting in the ability to execute random scripts in the context of teams.microsoft.com or teams.live.com with minimal user interaction (for example, previewing a document or expanding a message)
In addition, the company also welcomes reports on critical and important vulnerabilities that allow the execution of external code, misuse of privileges, disclosure of information, spoofing and sabotage. Depending on the severity and quality of the report, the rewards can reach up to $15,000 or just $500.
“Submissions that identify vulnerabilities that reproduce only in online services will be reviewed under the Online Services Bounty Program. Refer to the Office Insider Bounty program for eligible premium goals and rewards for research in other Office products. All submissions are reviewed to qualify for a premium, so don’t worry if you’re not sure where your submission fits. We will send your report to the right program,” the company added.