Microsoft adds OneDrive to bug bounty programme

Microsoft has added its cloud storage service, OneDrive, to its bug bounty programme.

It means that security researchers who uncover flaws in the service can get rewards worth anywhere between $500 and $15,000, and Microsoft said it is a sign it is taking cloud security more seriously.

“We continue to add new properties to our security bug bounty programs to help keep our customers secure,” Jason Shirk, senior director of Microsoft Security Response Center wrote on the company’s site, TechNet.

“This addition further incentivizes security researchers to report service vulnerabilities to Microsoft.”

Researchers who discover bugs in XSS, CSRF, injection vulnerabilities, server-side code execution, privilege escalation, and insecure direct object references are eligible for rewards under the programme.

Terry Ip, security consultant at MWR InfoSecurity, said that adding OneDrive to the programme may be “essentially a crowdsourcing effort from the security research community, either in place of or in addition to testing by their security vendor”.

He added: “Whilst the bounty can seem large in some cases, the payout is often lower than the costs involved in employing full-time security researchers.

"One of the key things for security researchers to be aware of is adhering to the scope of the bounty program. Going out of scope could result in legal issues or pay out disputes, despite the good intentions of the researcher.”

The bug bounty programme terms and conditions covering OneDrive can be read here.