Knowledge base

March 26, 2021

Microsoft offers rewards for security flaws in Microsoft Teams

Microsoft launches a new Applications Bounty Program , and the first application they want researchers to find bugs is Microsoft Teams, the popular business communications platform.

About Microsoft Teams

Microsoft Teams offers chat in the workspace, VoIP and video conferencing, file sharing via chats and meetings.

Like other video conferencing and communication solutions, Microsoft Teams received a significant boost with the arrival of the Covid-19 outbreak, fueled by the need for companies to stay connected with their employees who work from home. In March 2020, the service had 44 million daily users. Just a month later, it reached 75 million.

What should insect hunters pay attention to?

For now, only the Microsoft Teams desktop client for Windows, macOS, and Linux is in range.

Microsoft is offering between $30,000 and $6,000 for information about vulnerabilities that could lead to the following scenarios:

  • Remote code execution (native code in the context of the current user) without user interaction
  • Ability to obtain authentication credentials (including authentication tokens) for other users (but not via phishing!)
  • XSS or other (external) code injection resulting in the ability to run arbitrary scripts in the context of teams.microsoft.com or teams.live.com without user interaction
  • Privilege elevation that exceeds the user boundary of an operating system (including elevation in the macOS updater)
  • XSS or other (external) code injection resulting in the ability to run arbitrary scripts in the context of teams.microsoft.com or teams.live.com with minimal user interaction (e.g. preview a document or expand a message)

Aside from that, the company also welcomes reports of critical and important vulnerabilities that could allow remote code execution, elevation of privilege, information disclosure, spoofing, and sabotage. Depending on the severity and quality of the report, the rewards can be as high as $15,000 or as little as $500.

“Entries identifying vulnerabilities that reproduce only in online services will be evaluated under the Online Services Bounty Program. Refer to the Office Insider Bounty Program for eligible bounty targets and rewards for research in other Office products. All submissions will be assessed to qualify for a bounty, so don’t worry if you’re not sure where your entry fits. We’ll send your report to the appropriate program,” the company added.

Source: helpnet security

Want to know more?

Get in touch

Tech Updates: Microsoft 365, Azure, Cybersecurity & AI – Weekly in Your Mailbox.