Microsoft’s Applications Bounty Program has been extended to cover Microsoft Teams mobile apps, and bug hunters can earn up to $30,000 for reports about specific vulnerabilities.
Microsoft Teams: A popular business solution
Microsoft Teams is an enterprise communication and collaboration platform that provides workspace one-on-one and group chat, videoconferencing, VoIP, file sharing and storage, and meetings.
Its popularity and use soared in the wake of the COVID-19 pandemic and, as of April 2021, it has over 145 million daily users.
Eligible bugs and awards
Microsoft started its Applications Bounty Program in March 2021, with Microsoft Teams Windows, macOS, and Linux desktop clients as the initial targets for bug hunters.
Depending on the severity of the discovered flaws, the company offered bounties that could reach $30,000.
Microsoft is now looking for reports about vulnerabilities of Critical or Important severity reproducible on a fully patched operating syste (iOS or Android) and the latest version of the corresponding Microsoft Teams mobile appliaction.
“The goal of the bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers,” the company explains.
Maximum award of $30,000
Microsoft offers a maximum award of $30,000 for vulnerabilities that allow remote code execution (within application sandbox) with no user interaction, and $15,000 for those that may allow attackers to obtain authentication credentials (including authentication tokens) for other users – but not through phishing.
There are also more general bounty awards, ranging from $500 to $15,000, for vulnerabilities that allow remote code execution, elevation of privilege, information disclosure, spoofing, and tampering.
Bugs that could result in denial of service are out of scope, and so are vulnerabilities requiring extensive or unlikely user action, those that rely on default security settings being downgraded or the system to use uncommon configuration, and vulnerabilities on mobile applications that are modified after downloading from the app store.
“Submissions for Teams online services will continue to be awarded under the Online Services Bounty Program,” Lynn Miyashita, Program Manager at Microsoft Security Response Center, added.