Microsoft has launched Microsoft Online Services Bug Bounty Programme, to uncover issues to protect users as quickly as they can. This incorporates Microsoft's Online Services, and will offer rewards to security researchers for telling Microsoft about MS security vulnerabilities that they discover. Rewards for qualified submissions start at around £300, but can be higher depending on the impact of the vulnerability submitted.
The qualified submissions include Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), unauthorised cross-tenant data tampering or access (for multi-tenant services), insecure direct object references, injection flaws, authentication flaws, server-side code execution, privilege escalation and significant security misconfiguration.
The domains available to hack include portal.office.com, .outlook.com, outlook.office365.com, login.microsoftonline.com, .sharepoint.com, .lync.com, .officeapps.live.com, www.yammer.com, api.yammer.com, adminwebservice.microsoftonline.com, provisioningapi.microsoftonline.com, and graph.windows.net.