Skip to main content

Make some serious cash finding bugs with Microsoft's Office Insider Bug Bounty program

There’s probably no better way to find security bugs than to offer money to the people who actually use software on a daily basis to do just that. That’s why companies like Microsoft and Google offer increasingly significant amounts of money through reward programs aimed at discovering and then fixing vulnerabilities.

Microsoft has its lucrative Bug Bounty program for Windows that just saw its reward double to $30,000 for anyone identifying a verified exploit. Now, the company has announced a new program that offers some serious cash to users of its Office productivity suite for Windows Desktop.

The new Office Insider Bug Bounty program will pay anyone using the Insider slow ring builds up to $15,000 for finding security bugs before they have a chance to make their way to the production version. The kinds of bugs for which Microsoft will pay out include:

  • Elevation of privilege via Office Protected View.
  • Macro execution by bypassing security policies to block macros.
  • Code execution by bypassing Outlook automatic attachment block policies.

Go here to dig into the details of how Microsoft will determine eligibility and how you need to submit your bugs. These particular bugs are viewed as likely to be the most prominent and most likely to affect Office users. Macros and email attachments are common vectors of attack on all Office platforms.

Before you spend too much time looking for bugs, here’s a list of vulnerabilities that will not be covered:

  • Vulnerabilities in anything earlier than the current Office Insider slow build on Windows Desktop.
  • Vulnerabilities in user-generated content.
  • Vulnerabilities requiring extensive or unlikely user actions.
  • Vulnerabilities found by disabling existing security features.
  • Vulnerabilities in components not installed by Office.
  • Vulnerabilities in third-party components that might be installed on the system that enable the vulnerability.
  • Vulnerabilities about escaping Protected View where Protected View is explicitly not activated in Office code or enabled by default for the reported scenario.
  • Vulnerabilities in the Application container.
  • Any other category of vulnerability that Microsoft determines to be ineligible, in its sole discretion.

The Microsoft Office Bug Bounty program will last from March 15, 2017, through June 15, 2017. Payouts will range from $500 to $15,000, and of course, there are important terms and conditions to keep in mind. You also need to be a member of the Office Insider program utilizing an Insider slow ring build of Office for Windows Desktop.

You can sign up to be an Office Insider here. Go to File > Account and look under Office Updates to check which version you’re running. Click on Office Insider and select Change Level to move from one ring to another or remove yourself from the Office Insider program.

Editors' Recommendations

Mark Coppock
Mark has been a geek since MS-DOS gave way to Windows and the PalmPilot was a thing. He’s translated his love for…
EU to offer bug bounties for finding security flaws in open-source software
Bug bounty using computer

Bug bounties are a way for companies to check the security of their software by offering cash to freelancers who hunt for security exploits and then report them so that they can be fixed. The idea is that everyone benefits from this process: the company gets its software checked by a larger variety of people than they could employ by themselves, the bug hunters get offered legitimate cash for finding a security flaw instead of selling that information on the black market, and the public gets software which has been more thoroughly checked for security issues. Big tech companies like Google and Intel have been running bug bounty programs for years.

Now the European Union is getting in on the action too. From January 2019, the EU will be launching a bug bounty program as part of their Free and Open Source Software Audit project (FOSSA), focused on security issues with open-source software. The FOSSA project was started back in 2014 when security vulnerabilities were found in the OpenSSL Open Source encryption library which is used for the encryption of internet traffic. As free and open-source software performs a number of vital functions for every internet user, the European Parliament and others decided to take on the challenge of auditing the free software that they use for security issues.

Read more
Facebook is paying cash rewards if you find vulnerabilities in third-party apps
Crisis Response Hub

The recent Cambridge Analytica scandal rocked Facebook, prompting the company to examine more closely where its masses of user data ends up and how it's utilized.

As part of those efforts, the social networking giant this week announced it's expanding its bug bounty program to include third-party apps and websites that let people use their Facebook accounts to log in.

Read more
Earn up to $10,000 by squashing printer-based bugs in HP’s bounty program
HP LaserJet Pro M426fdw Multifunction Wireless Laser Printer laser printer deals

HP is calling an “industry first” by launching a print security bug bounty program providing rewards up to $10,000. It’s backed by Bugcrowd, a crowdsourced security platform that manages bug bounties, vulnerability disclosures, and more. The program will focus on bugs related to printers, which can be an entry point for hackers.

“As we navigate an increasingly complex world of cyber threats, it’s paramount that industry leaders leverage every resource possible to deliver trusted, resilient security from the firmware up,” Shivaun Albright, HP's Chief Technologist of Print Security, said in a statement. “HP is committed to engineering the most secure printers in the world.”

Read more