Microsoft offers rewards for security bugs in Microsoft Teams

Microsoft is starting a new Applications Bounty Program, and the first application that they want researchers to find bugs in is Microsoft Teams, its popular business communication platform.

About Microsoft Teams

Microsoft Teams offers workspace chat, VoIP and videoconferencing, file sharing through chats, and meetings.

Like other videoconferencing and communication solutions, Microsoft Teams received a considerable boost with the advent of the Covid-19 outbreak, fueled by companies’ need to keep in touch with their employees working from home. In March 2020, the service had 44 million daily users. Only a month later, it hit 75 million.

What should bug hunters look for?

For the time being, only the Microsoft Teams desktop client for Windows, macOS, and Linux is in-scope.

Microsoft is offering between $30,000 and $6,000 for information about vulnerabilities that can lead to the following scenarios:

• Remote code execution (native code in the context of the current user) with no user interaction
• Ability to obtain authentication credentials (including authentication tokens) for other users (but not through phishing!)
• XSS or other (remote) code injection resulting in ability to execute arbitrary scripts in the context of teams.microsoft.com or teams.live.com with no user interaction
• Elevation of privilege which traverses an operating system user boundary (including elevation of privilege in the macOS updater)
• XSS or other (remote) code injection resulting in ability to execute arbitrary scripts in the context of teams.microsoft.com or teams.live.com with minimal user interaction (e.g., previewing a document or expanding a message)

Aside from those, the company will also welcome reports about critical and important vulnerabilities that allow remote code execution, elevation of privilege, information disclosure, spoofing, and tampering. Depending on their severity and the quality of the report, the rewards can be as much as $15,000 or as little as $500.

“Submissions identifying vulnerabilities that reproduce only in online services will be reviewed under the Online Services Bounty Program. For eligible bounty targets and awards for research in other Office products, please see the Office Insider Bounty Program. All submissions are reviewed for bounty eligibility, so don’t worry if you aren’t sure where your submission fits. We will route your report to the right program,” the company added.