The Microsoft Security Response Center (MSRC) is always looking for ways to provide clarity and transparency around how we assess the impact of vulnerabilities reported in our products and services. We have published a new Microsoft Vulnerability Severity Classification for Online Services to provide additional information about our approach to online services and web applications.
The new classification guide helps provide a common language for external researchers and Microsoft security engineering teams to discuss the impact of vulnerability submission, with more detail and data-classification impact than previous guides.
The M365 Bug Bounty Program is the first bug bounty program to use the new data classification with bounty awards up to $19,500 for eligible submissions.
We value the partnership of external researchers who find and report security vulnerabilities to help us protect billions of customers. We hope these resources make it easier to understand the reasoning behind our online service severity classification and assist researchers looking to focus their efforts in the highest impact areas.
If you have any questions about the new vulnerability classification guide or MSRC, please visit our FAQ page or contact [email protected].