High-impact security flaw bounties increased by Microsoft

ZDNet reports that Microsoft has introduced higher "scenario-based awards" for vulnerabilities disclosed to its Microsoft 365 Bounty Program and Dynamics and Power Platform Bounty Program in an effort to strengthen efforts to mitigate flaws with the most significant customer privacy and security impact. Microsoft is handing over the scenario-based awards on top of current bounties for remote code execution and privilege escalation bugs, with the scenario-based award in Dynamics 365 and Power Platform involving a cross-tenant information disclosure vulnerability eligible for up to $20,000. Moreover, 15% to 30% of additional bounties are being awarded for vulnerabilities impacting Office 365 offerings and Microsoft Outlook, SharePoint Online, Teams, Skype, and OneDrive Account pages. Microsoft noted that a 30% bonus will be given for untrusted input-related remote code execution for CWE-94 "Improper Control of Generation of Code", and CWE-502 "Deserialization of Untrusted Data," while a 20% bonus will be awarded for unauthorized cross-tenant and cross-identity sensitive data leakage for CWE-488 "Exposure of Data Element to Wrong Session" and CWE-200 "Exposure of Sensitive Information to an Unauthorized Actor."