Security researchers can now make money out of finding vulnerabilities in Microsoft's OneDrive online storage and data sharing service, the company announced over the weekend.
Along with OneDrive, researchers are invited to poke holes in Azure, Office 365 properties and the Microsoft Account login system.
Vulnerabilities eligible for bug bounty payouts include cross-site scripting (XSS) and request forgery (CSRF) flaws, being able to bypass multi-tenant service data protection, direct object references and injection, server-side code execution, privilege escalation and authentication issues.
Microsoft will also pay a bounty for significant security misconfigurations discovered by researchers, who must be at least 14 years of age and registered for taxation.
While Microsoft encourages submissions and provides test environments for the bug bounty program, the company limits the vulnerability hunt to the above flaws only.
Social engineering, denial of service attempts, accessing others' data and moving beyond proof of concepts for server-side code execution is not acceptable, and Microsoft warns it may respond to what it thinks are malicious activities in its network.
As with Google's bug bounty program, and security vendor Trend Micro's Pwn2Own competition, finding flaws in Microsoft's online services can be lucrative for researchers: the minimum payout for a qualified vulnerability is US$500 (A$657), going up to a maximum of US$15,000.
In total, Microsoft said it has paid out over US$500,000 in bug bounties. Researchers from Hewlett-Packard's Zero Day Initiative, Context Security and NSFOCUS have been rewarded with US$100,000-sized payments, for discovering mitigation bypasses.
Vulnerability submissions should be emailed to Microsoft.
