Microsoft
Global technology leader in cloud computing (Azure), productivity software (Office 365), operating systems (Windows), and gaming (Xbox).
https://microsoft.comMax Reward
$250,000
Total Paid
$18,200,000
Resolved
1204
Avg Response
2 days
In-Scope Assets
Azure Cloud
Azure portal, APIs, VMs, storage, and networking
Microsoft 365
Office apps, Teams, SharePoint, OneDrive
Windows OS
Windows 10/11 kernel, drivers, and built-in applications
Edge Browser
Microsoft Edge and related services
Out of Scope
- ✕ LinkedIn (separate program)
- ✕ Xbox Live social features
- ✕ Third-party marketplace apps
Severity Levels & Rewards
RCE, authentication bypass, privilege escalation, fund extraction
Stored XSS, CSRF with impact, API abuse, data manipulation
Reflected XSS, data leakage, logic flaws, information disclosure
Verbose errors, minor config issues, low-impact info disclosure
Active Bounties (3)
| ID | Title | Severity | Status | Reward | Submissions |
|---|---|---|---|---|---|
| MSFT-001 | Privilege escalation in Azure Active Directory via Graph API | Critical | Open | $15,000–$250,000 | 0 |
| MSFT-002 | Remote code execution in Office 365 macro sandbox escape | Critical | In Review | $15,000–$250,000 | 3 |
| MSFT-003 | SSRF in Azure DevOps pipeline webhook handler | High | Resolved | $5,000–$15,000 | 4 |
Rules of Engagement
• Do not access, modify, or delete data belonging to other users.
• Do not perform denial-of-service attacks or automated scanning at high volume.
• Report vulnerabilities promptly and provide sufficient detail to reproduce.
• Allow reasonable time for fix before public disclosure (90 days).
• Safe harbor: We will not pursue legal action against researchers acting in good faith within these rules.