Bountycraft at Nullcon 2017

Security is a critical component of our products at Microsoft. A strong emphasis on security is a persistent factor throughout our entire development process. Microsoft is committed to designing and developing secure software. Testing is performed both internally and by working closely with the broader security community. This is done through a wide range of partnerships and programs including bug bounties to ensure that customers receive the most secure products. Serving this mission, Microsoft launched its first bounty program in 2013 to compensate researchers for their time spent investigating and reporting security vulnerabilities directly to Microsoft. Since then, Microsoft has significantly expanded its bug bounty programs to include Office, Windows, Internet Explorer, Edge and the Microsoft Cloud Services.

After launching the Microsoft Cloud, Edge and Mitigation bypass bounty programs, we realized that the software and services vulnerability reporting trends have shifted and more than a third of our vulnerability reports now come from Asia. We receive over 50% of services vulnerabilities from India and over 30% of software vulnerabilities from China.

In March 2017, at the Nullcon conference in India, Microsoft hosted a workshop with the goal of finding better ways of working with the security research community to eliminate or mitigate potential threats to customers.

The workshop aimed to better enable south-east Asian security professionals to find high quality, high impact bugs and to help us identify more ways to make our products more secure. Microsoft delivered a few presentations in India, which focused on Windows, Azure and the Microsoft Cloud. We also launched the Office 365 Portal and Exchange Online limited time double bounty.

You can download the full slide decks below:

Here is a summary of the content:

1)      Agility with Security Mitigations in Windows 10

Mitigations are an efficient way of looking at security problems as it helps us eliminate classes of vulnerabilities and exploit techniques by moving the needle away from individual fixes. Since Windows moved to a faster release cycle we have been able to deliver security mitigations to customers quicker than before. Since Windows 10, we have added many mitigations with every release at an accelerated pace. Continuous mitigation additions are evident if you are part of Windows Insider Program.

This talk focused on highlighting the Windows’s new release cadence which made it possible to land mitigations. we listed out all the mitigations in Windows 10 since its initial release and in the Creators update release. Overall, the slide deck gives a good overview on the latest security mitigations. This should help someone looking to start involving with finding mitigation bypass bounties.

2)      How to be successful with Azure bounties & the inner working of the Microsoft Bounty Program

This training was focused on Microsoft Azure and the bounty program offerings. In the presentation, we provided details on a few externally reported vulnerabilities that were fixed and why some bugs received the top rewards of $15,000 and $26,000 during the double bounty rewards. Also, we went over the process of getting Azure installed and configured to enable finding the bugs we pay most for.

Our goals with this workshop was to give white-hatters clarity on how Microsoft adjudicates on security bugs and how to make the most on your bounty bugs.

The short answer is we pay more for higher impact. We recommend:

  • That you look beyond the type of vulnerability and focus more on how a vulnerability negatively affects Microsoft properties (and the perceived impact to our users).
  • To wisely choose the Microsoft cloud properties (or targets) you are trying to compromise. Some properties pay more than others (due to impact to users).

Another important piece of information presented at the conference was the bug types that received the highest payouts in the past few years:

  • Authentication Vulnerabilities
  • Privilege Escalations
  • Cross Site Scripting (on high traffic, high impact sites)

Our guidance to receive top payouts from our bounty programs is quite simple.

  1. Always submit a good quality report with easily reproducible steps
  2. Specify the target domain
  3. Help us understand the attack scenario:
    • What privileges do you need to trigger the exploit (user, admin, system etc.)?
    • How did you trigger the exploit?
    • What will the attacker gain or compromise if this was found in the wild?
    • What is your perceived impact?

Send all bugs to (with secure@ in the To line). Encrypt the email if you are sending a functioning exploit

Akila Srinivasan, Security Program Manager
Michael Hendrickx, Senior Security Engineer
Swamy Shivaganga Nagaraju, Senior Security Engineer