430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Microsoft launched its new Microsoft Defender Bounty Program

Microsoft announced this week it will pay up to $20,000 for security vulnerabilities in its Defender products. Microsoft launched its new Microsoft Defender Bounty Program with a focus on Defender products and services. The company will pay up to $20,000 for the vulnerabilities in its Defender products. The bug bounty program starts with Defender for […]

Microsoft Defender Bounty Program

Microsoft announced this week it will pay up to $20,000 for security vulnerabilities in its Defender products.

Microsoft launched its new Microsoft Defender Bounty Program with a focus on Defender products and services. The company will pay up to $20,000 for the vulnerabilities in its Defender products.

The bug bounty program starts with Defender for Endpoint APIs, but other products will be covered by the company program.

“The Microsoft Defender Bounty Program invites researchers across the globe to identify vulnerabilities in Defender products and services and share them with our team.” reads the announcement. “The Defender program will begin with a limited scope, focusing on Microsoft Defender for Endpoint APIs and will expand to include other products in the Defender brand over time. Qualified submissions are eligible for bounty rewards from $500 to $20,000 USD.”

Bug hunters can submit critical or important severity vulnerabilities that affect the latest, fully patched version of the product or service. 

The IT giant will pay $20,000 for critical-severity remote code execution (RCE) vulnerabilities. The company is willing to pay up to $8,000 for critical elevation of privilege and information disclosure flaws. The company may offer up to $3,000 for spoofing and tampering vulnerabilities.

Microsoft Defender Bounty Program

In-scope vulnerabilities include:

  • Cross site scripting (XSS)   
  • Cross site request forgery (CSRF)   
  • Server side request forgery (SSRF) 
  • Cross-tenant data tampering or access   
  • Insecure direct object references   
  • Insecure deserialization   
  • Injection vulnerabilities   
  • Server-side code execution   
  • Significant security misconfiguration (when not caused by user)   
  • Using components with known vulnerabilities
    • Requires full proof of concept (PoC) of exploitability. For example, simply identifying an out-of-date library would not qualify for an award. 

White hat hackers can submit reports through the MSRC Researcher Portal indicating which high-impact scenario (if any) the report qualifies for and the attack vector for the vulnerability. 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Defender)