Starting today, we are doubling the maximum bounty award for the Microsoft 365 Insider Bug Bounty Program to $30,000 USD for high impact scenarios, such as unauthenticated non-sandboxed code execution with no user interaction. We are also expanding the scope of our bounty program to include more vulnerability types and products. From Security feature bypass and Microsoft OneNote, we’re partnering with researchers to cast a wider net to catch and fix high severity security vulnerabilities. Finally, we’ve introduced a tiered approach to awards for vulnerabilities that meet a certain severity and report quality.

To get started, join the Microsoft 365 Insider program.  For more information, see:

• Microsoft 365 Insider Blog
• Microsoft 365 Insider Handbook
• Microsoft 365 Insider FAQ
• Follow us @Msft365Insider

As shared in our bounty year in review blog post, we are constantly growing, iterating, and evolving our bounty programs to help Microsoft customers stay ahead of the curve in the ever-changing security landscape and emerging technologies. We are grateful for the security research community and look forward to receiving your submissions and working with you to improve security for everyone.

Found a security vulnerability? Share your findings by submitting a report through the MSRC Researcher Portal.

We are excited to learn and hear your feedback on the expanded Microsoft 365 Insider bounty program. If you have any questions about this program or any other security research incentive program, please email us at [email protected]. 

Bruce Robinson, MSRC