Microsoft has announced that from now on, local versions of Exchange, SharePoint and Skype for Business can participate in a program to reward researchers for discovered vulnerabilities in applications and local services (Applications and On-Premises Servers Bounty Program).
The maximum amount of remuneration for appropriately submitted reports on detected dangerous vulnerabilities in these products is $26 thousand.
Microsoft offers a 20% higher reward for server Request forgery (SSRF) vulnerabilities that allow attackers to make HTTP server requests to arbitrary URLs in Exchange. The same goes for SSRF vulnerabilities in SharePoint.
In addition, the amount of remuneration for insecure deserialization vulnerabilities of user-managed data that can lead to remote code execution on the server has increased by 30%.
Microsoft offers a 20% higher reward for vulnerabilities that allow data to be recorded in the user-controlled area of the server, as well as authorization bypass vulnerabilities with which unauthorized attackers can carry out mass attacks.
The amount of compensation for vulnerabilities in the Exchange Emergency Mitigation Service (EEMS) has increased by 15%.