Microsoft’s latest bug bounty invites hackers to find security vulnerabilities in Office Insider builds, the version of its productivity suite it tests with enthusiasts before general release.
Redmond will be offering hackers between $500 and $15,000 for each bug they find and report in the Office Insider preview on Windows desktop. The bounty runs between March 15 and June 17.
Eligible bugs need to be previously unreported in the current Office Insider build on a fully patched Windows 10 desktop. It also needs to reproducible on the most recent Office Insider slow build.
The top award goes to a high quality report for elevation of privilege flaws that escape the Office Protected View sandbox, which Microsoft has designed to protect users when opening untrusted documents.
The other top payout is for a Macro execution that bypasses Office security policies that are designed to block macros in Word, Excel and Power Point.
To counter the recent resurgence in macro-based malware, Microsoft recently introduced new admin features in Office 2016 to prevent users from running macros when they’re in documents received from untrusted sources.
“By default, the macro security policies block execution of macros without user interaction,” Microsoft noted, announcing the Office Insider bounty. “In this bounty program, we are encouraging researchers to send us information about vulnerabilities that would allow automatic macro execution in Microsoft Word, Excel and PowerPoint without additional user interaction in the default configuration and without trusting the document.”
Microsoft will also pay up to $9,000 for a bug that bypasses Outlook’s list of blocked attachment types, such as JavaScript (.js) .
“Several file extensions are currently blocked as attachments in Outlook. We’re looking for techniques that will enable bypassing the existing block policies for the list of extensions detailed below,” says Microsoft.
Earlier this month Microsoft doubled cash rewards for its Online Services bounty, offering up to $30,000 for critical flaws in core domains for Office 365. That higher rewards are available until May 1.
Another bounty that remains open until May 15 is the Edge on Windows Insider Preview bounty. This launched in August last year and offers up to $15,000 for a remote code execution bug in its browser.