Today we’re announcing the participation of Office 365 in the new Microsoft Online Services Bug Bounty Program. Through this program, which launches today, we are able to reward and recognize security researchers by offering a bounty for qualifying security vulnerabilities they report to us. We are participating in this program for a number of reasons, chief among them are:

  1. We take security vulnerabilities very seriously. We recognize that you, our customers, depend on us for tools to run your organizations, whether that is a Fortune 500 company, a small business, a non-profit, or an educational institution. We take it seriously that you trust us with your data, and this program is part of our investment in continually improving the security of our services. You can find more details about our broader investments in security, compliance and privacy on the Office 365 Trust Center.
  1. You asked us for it. Our customers are security conscious, and want the freedom to examine and understand the security profile of our offerings. With the program terms announced today, there is now a framework for enabling targeted security vulnerability assessments of Office 365 services by anyone who wishes to participate.  With these rules, you can now validate the security of the service, and if you identify issues and meet the eligibility requirements, Microsoft will compensate you for that good work.
  1. This is the right thing to do for our customers and our services. In Office 365, we have security teams that use industry trends and emerging threats to drive internal and external penetration tests and conduct vulnerability scans and assessments throughout the lifecycle of development and operation of the service. Office 365 pursues and receives many rigorous third-party security and compliance accreditations to provide customers with third-party audited proof of our implementation of best practices. We work hard to develop secure software and defend our services from breaches, but we recognize that security is a journey and not a destination, and we are always looking for ways to move faster.  This bounty program is one more way that we can enable and recognize that great community that helps us make Office 365 even safer.

We encourage you to read the program terms and FAQs before beginning your research or reporting a vulnerability. We would like to extend a big ‘Thank you’ to everyone in the community who has reported issues in Office 365 in the past, and we are looking forward to rewarding your efforts in the future.


Published: 9/24/2014 9:27