提交的漏洞必须包含以下类型,但微软有权拒绝安全研究人员提交的漏洞,不管是否符合这些标准:
Cross Site Scripting (XSS)
Cross Site Request Forgery (CSRF)
Unauthorized cross-tenant data tampering or access (for multi-tenant services)
Insecure direct object references
Injection Flaws
Authentication Flaws
Server-side Code Execution
Privilege Escalation
Significant Security Misconfiguration
另外只有以下这些领域的漏洞才符合Bug赏金计划的要求:
portal.office.com
*.outlook.com (Office 365 for business email services applications, excluding any consumer “outlook.com” services)
outlook.office365.com
login.microsoftonline.com
*.sharepoint.com
*.lync.com
*.officeapps.live.com
www.yammer.com
api.yammer.com
adminwebservice.microsoftonline.com
provisioningapi.microsoftonline.com
graph.windows.net