Saturday, 20 July 2019
Microsoft has launched one more bug bounty to its security rewards lineup. Now researchers will for the first time be able to hunt for bugs in Dynamics 365 ERP and CRM software and get rewards of up to $20,000.
The Dynamics 365 Bounty program opened two , inviting researchers to find and report vulnerabilities in Microsoft's Dynamics 365 applications with incentive rewards of between $500 and $20,000 for valid bugs.
There are dozens of online and on-premise Dynamics 365 applications: online apps include Dynamics 365 for sales, customer service, field service, talent, finance and operations, retail and more. The latest releases of on-premise Dynamics 365 apps are also in scope, including Dynamics AX, CRM, GP, NAV, and SL.
Microsoft has also updated its main Microsoft Bug Bounty Program with simplified high-level requirements for them and extra links and resources.
And it's reorganized its bug bounties into three main categories: Cloud Programs; Platform Programs; and Defense Programs.
Dynamics 365 is the newest under the Cloud Programs section, which also includes Microsoft Identity services, such as Azure Active Directory. Also in this group are Azure DevOps Services, .NET Core and ASP.NET Core, andthe Microsoft Cloud Bounty.
The Platform Programs cover Microsoft Hyper-V, the Windows Insider Preview, Windows Defender Application Guard, the Edge on Windows Insider Preview, and Office Insider.
The Defense Programs currently only includes the 'Mitigation Bypass and Bounty for Defense', which offers the highest rewards of up to $100,000.
The extra resources include links to frequently asked questions, examples of low and high quality reports, the Windows security servicing criteria, a directory of Azure Services, Microsoft product documentation, and a link to the Microsoft Security Research & Defense blog.
The Dynamics 365 top payout is in line with the top reward for the Microsoft Cloud Bounty, which recently got bumped up to $20,000 from $15,000.
Earlier this year Microsoft handed off payment-processing responsibilities to third-party bug bounty platform HackerOne and has since added Bugcrowd to its payment roster. Microsoft continues to handle triage of bug reports and deciding on the value of rewards, but moved to HackerOne and Bugcrowd in order to speed up payments to researchers offer different payment options, including in cryptocurrency.