Microsoft has added its Power Platform software portfolio to its Dynamics 365 bug bounty program, rebranding the initiative as the Dynamics 365 and Power Platform Bounty Program.
Microsoft launched its Dynamics 365 Bounty program in July 2019, offering rewards up to US$20,000 for eligible vulnerabilities in both Dynamics 365 online services and the latest edition of Dynamics 365 on-premises.
While the reward payout hasn’t changed, the scope has, with Microsoft’s Power Platform line of business intelligence, app development and process automation software joining the program.
“Through this expanded program, we encourage researchers to discover and report high impact security vulnerabilities they may find in the new Power Platform scope to help protect customers,” Microsoft Security Response Centre’s Madeline Eckert and Lynn Miyashita said in an online post, published 13 October.
The additional Microsoft products that are now eligible for bounty awards are Power Apps, Power Automate, Power Virtual Agent and Power Portals.
“Researchers can expect to see the Dynamics 365 and Power Platform Bounty Program continue to grow as we identify new areas of scope for bounty eligibility,” Eckert and Miyashita said.
“Through targeted and expanding program scope, Microsoft can better protect our customers and partner with researchers to secure new and interesting attack surface," the pair added.
In late July Microsoft extended its ongoing ‘bug bounty’ program to its Teams mobile applications, offering rewards of up to US$30,000.
The global giant previously added Teams to the security research program in March, but this marks the first recognition of the mobile application.
Broken down, the program will offer between US$15,000 and US$30,000 for two scenario-based awards focused on vulnerabilities that have the highest potential impact on customer privacy and security. It will also offer rewards from US$500 to US$15,000 for other eligible vulnerability reports for Teams iOS and Android mobile applications.
In early July Microsoft revealed it had awarded US$13.6 million in bug bounties to more than 340 security researchers across 58 countries during the 12 months to 30 June, US$100,000 less than its bounty tally in the year prior.