Microsoft to open up bug bounty programme to find flaws in OneDrive

Bug hunters get rewarded for finding vulnerabilities in cloud storage service

Bug hunters will be rewarded for finding vulnerabilities in OneDrive
Bug hunters will be rewarded for finding vulnerabilities in OneDrive
Microsoft said it will add cloud-based storage service OneDrive to the list of services included in its Bug Bounty Programme. Security researchers who flag flaws could be in line for rewards of up to $15,000 (£10,416).

In a blog post on the firm's TechNet website, it revealed that OneDrive will be covered by the same terms of service as its other online and cloud services. The pay-outs will range from $500 – $15,000 (£347-£10,416).

Among the types of bug eligible for reward are XSS, CSRF, insecure direct object references, injection vulnerabilities, server-side code execution, privilege escalation, and significantly security misconfiguration when not caused by users.

However, the programme prohibits DoS testing, performing automated testing of services that generates significant amounts of traffic, or gaining access to any data that doesn't belong to the security researcher.

It also prohibits any attempt at phishing or other social engineering attacks against our employees. 

“Generally, bounties will be paid for significant web application vulnerabilities found in eligible online service domains. Additionally, in order for submissions to be processed as quickly as possible and to ensure the highest payment for the type of vulnerability being reported, submissions should include concise repro steps that are easily understood,” the firm said.

Security researchers can learn more about the programme and OneDrive's place within it by visiting Microsoft's booth at the forthcoming CanSecWest in Vancouver, Canada.

Tim Erlin, director, security and IT risk strategist at Tripwire told SC Magazine that bug bounties create “a mountain of work for the software companies that offer them”. 

“Not only does a bounty programme increase the number of patches that need to be created, tested and released, it also generates a large number of false reports that must be filtered. While the benefits are well understood, the security community doesn't always discuss the costs associated with running a successful bug bounty programme.
 
By limiting the scope of a bounty programme, an organisation can help to contain the costs and ensure that the programme is effective and responsive,” he said.

David Gibson, VP of strategy and market development at Varonis, told SC Magazine that it's reasonable to expect that any publically-facing infrastructure will be poked and prodded for bugs and vulnerabilities. 

“It's also reasonable to expect that if you store valuable data, someone is going to try to access it. As both a public facing system and one that stores valuable data, OneDrive is a prime target for attackers. A bug bounty is a very sensible measure for Microsoft to take to stay a step ahead of attackers, but pack your own shoot – make sure your organisation is able to monitor any sensitive data it's storing in OneDrive for unauthorised access,” he said.