Microsoft Dynamics 365 and Power Platform Bounty Program
PROGRAM DESCRIPTION
Dynamics 365 is a suite of intelligent business applications designed to connect customers, products, people, and operations.
Power Platform is a line of applications created so that companies can analyze data, build solutions, automate processes, and create virtual agents to overcome business challenges.
We invite individuals or organizations to identify security vulnerabilities in targeted Dynamics 365 and Power Platform applications and share them with our team. Qualified submissions are eligible for bounty rewards of $500 to $30,000 USD.
This bounty program is subject to these terms and those outlined in the Microsoft Bounty Terms and Conditions.
DYNAMICS 365 IN-SCOPE SERVICES AND PRODUCTS
Most vulnerabilities submitted against Dynamics 365 applications are eligible under this program.
- Microsoft Dynamics 365 online applications, including
- Dynamics 365 Sales
- Dynamics 365 Customer Service
- Dynamics 365 Field Service
- Dynamics 365 Human Resources
- Dynamics 365 Finance
- Dynamics 365 Project Operations
- Dynamics 365 Commerce
- Dynamics 365 Project Service Automation
- Dynamics 365 Marketing
- Dynamics 365 Remote Assist
- Dynamics 365 Customer Insights
- Dynamics 365 Business Central
- Dynamics 365 General
- Microsoft Dynamics 365 on-premise products
- Microsoft Dynamics AX
- Microsoft Dynamics CRM
- Microsoft Dynamics GP
- Microsoft Dynamics NAV
- Microsoft Dynamics SL
POWER PLATFORM IN-SCOPE SERVICES AND PRODUCTS
Related Bounty Programs
Submissions identifying vulnerabilities in Office 365, Microsoft Account, Azure DevOps, and other online services will be considered under our service-specific or product-specific cloud bounty programs, including the Azure Bounty Program, M365 Bounty Program, Microsoft Identity Bounty Program, or Azure DevOps Bounty Program. All submissions are reviewed for bounty eligibility, so don’t worry if you aren’t sure where your submission fits. We will route your report to the appropriate program.
ELIGIBLE SUBMISSIONS
The goal of the Microsoft Bug Bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our users. Vulnerability submissions must meet the following criteria to be eligible for bounty award:
- Identify a vulnerability that was not previously reported to, or otherwise known by, Microsoft.
- Such vulnerability must be of previously unreported Critical or Important severity and must reproduce in one of the in-scope products or services.
- Include clear, concise, and reproducible steps, either in writing or in video format.
- Provide our engineers the information necessary to quickly reproduce, understand, and fix the issue.
We request researchers include the following information to help us quickly assess their submission
- Indicate in the vulnerability submission which high impact scenario (if any) your report qualifies for
Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.
GETTING STARTED
Dynamics 365
- Sign up for a free trial of Dynamics 365.
- To learn about Dynamics 365, please see our documentation site and follow the Dynamics 365 blog and Dynamics 365 community to hear about the latest features and updates.
Power Platform
- Before sharing your research, check out our documentation site, security FAQs and commonly reported issues.
When setting up an account in Power Platform, please select “sign in with new OrgID.” You will then be prompted to create a new OrgID and create a test tenant. A trial license will be assigned automatically
- Power Apps
- Microsoft Power Apps documentation - Power Apps | Microsoft Docs
- Sign up for free
- Microsoft Power Apps documentation - Power Apps | Microsoft Docs
- Power Automate
- Get started with Power Automate - Power Automate | Microsoft Docs
- Sign in with OrgID
- Open Power Automate
- Power Virtual Agent
- Get started with Power Virtual Agents bots - Learn | Microsoft Docs
- Sign in with OrgId
- Go through tutorial
- Power Pages
- Get started with Power Pages - Training | Microsoft Learn
- Sign in with OrgId
- Go through tutorial
- Go through tutorial
BOUNTY AWARDS
Bounty awards range from $500 up to $30,000. Higher awards are possible, at Microsoft’s sole discretion, based on the impact and severity of the vulnerability, and the quality of the submission. Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgment if their submission leads to a vulnerability fix, and points in our Researcher Recognition Program.
If a reported vulnerability does not qualify for a bounty award under the High-Impact Scenarios, it may be eligible for a bounty award under General Awards. Eligible submissions will be awarded the single highest qualifying award.
High-Impact Scenario Awards
Scenario | Maximum Award |
---|---|
Cross-tenant information disclosure Power Platform escalation of privileges in Dataverse using an entry point other than Dataverse to gain access to Dataverse Dataverse Plugin Sandbox "guest to host" escape |
$20,000 *$30,000
20% *70% Bounty Multiplier 20% *70% Bounty Multiplier |
In all scenarios, please follow the Research Rules of Engagement to ensure your research does not harm customer data, privacy, or service availability. If in doubt, please contact bounty@microsoft.com.
General Awards
Security Impact | Report Quality | Severity | |||
---|---|---|---|---|---|
Critical
|
Important
|
Moderate
|
Low
|
||
Remote Code Execution |
High
Medium Low |
$20,000 *$30,000
$15,000 *$22,500 $10,000 *$15,000 |
$15,000 *$22,500
$10,000 *15,000 $5,000 *$7,500 |
$0 |
$0 |
Elevation of Privilege |
High
Medium Low |
$8,000 *$12,000
$4,000 *$6,000 $3,000 *$4,500 |
$5,000 *$7,500
$2,000 *$3,000 $1,000 *$1,500 |
$0 |
$0 |
Information Disclosure |
High
Medium Low |
$8,000
$4,000 $3,000 |
$5,000
$2,000 $1,000 |
$0 |
$0 |
Spoofing |
High
Medium Low |
N/A
|
$3,000
$1,200 $500 |
$0 |
$0 |
Tampering |
High
Medium Low |
N/A
|
$3,000
$1,200 $500 |
$0 |
$0 |
Denial of Service |
High/Low
|
Out of Scope
|
*50% increase in High Impact Scenarios and eligible security impacts for Zero Day Quest event.
N/A: vulnerabilities resulting in the listed security impact do not qualify for this severity category
Sample high- and low-quality reports are available here.
IN SCOPE VULNERABILITIES
The following are examples of vulnerabilities that may lead to one or more of the above security impacts:
- Cross site scripting (XSS)
- Cross site request forgery (CSRF)
- Cross-tenant data tampering or access
- Insecure direct object references
- Insecure deserialization
- Injection vulnerabilities
- Server-side code execution
- Significant security misconfiguration (when not caused by user)
- Unauthorized cross-tenant data tampering or access
- Using component with known vulnerabilities
- Requires full proof of concept (PoC) of exploitability. For example, simply identifying an out-of-date library would not qualify for an award.
- Requires full proof of concept (PoC) of exploitability. For example, simply identifying an out-of-date library would not qualify for an award.
RESEARCH RULES OF ENGAGEMENT
The Dynamics 365 and Power Platform Bounty program’s scope is limited to technical vulnerabilities in Dynamics and Power Platform-related products and services. If you discover customer data while conducting your research, or are unclear if it is safe to proceed, please stop and contact us at bounty@microsoft.com. The following are not permitted:
- Gaining access to any data that is not wholly your own, including customers, Microsoft, or third-parties.
- For example, you are allowed and encouraged to create a small number of test accounts and/or trial tenants for the purpose of demonstrating and proving cross-account or cross-tenant data access. However, you are not allowed to use one of these accounts to access data that is not your own or a tenant that is not your own.
- not access any Microsoft or customer tenants during the course of your research
- Moving beyond “proof of concept” repro steps for server-side execution issues
- For example, proving that you have sysadmin access with SQLi is acceptable, running xp_cmdshell is not.
- Any kind of Denial of Service testing.
- Performing automated testing of services that generates significant amounts of traffic.
- Attempting phishing or other social engineering attacks against others, including our employees. The scope of this program is limited to technical vulnerabilities in the specified Microsoft Online Services.
- Using our services in a way that violates the terms for that service.
Even with these prohibitions, Microsoft reserves the right to respond to any actions on its networks that appear to be malicious.
OUT OF SCOPE VULNERABILITIES
Microsoft is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty rewards. Here are some of the common low-severity or out of scope issues that typically do not earn bounty rewards:
- Publicly-disclosed vulnerabilities which have already been reported to Microsoft, or are already known by the wider security community
- Vulnerabilities in any version other than latest, fully patched version at time of submission
- Vulnerabilities that are addressed via product documentation updates, without change to product code or function.
- Vulnerabilities on Microsoft Customer pages.
- Vulnerabilities based on user configuration or action, for example:
- Vulnerabilities based on user-generated content or user-created apps
- Vulnerabilities requiring extensive or unlikely user actions
- Security misconfiguration of a service by a user or administrator
- Vulnerabilities based on third parties, for example:
- Vulnerabilities in third-party software
- Vulnerabilities in third-party extensions
- Vulnerabilities in platform technologies that are not unique Dynamics 365 (for example IIS, OpenSSL etc.)
- Out of scope vulnerability types, including:
- Server-side information disclosure
- Denial of service (DoS) attacks
- Cookie replay vulnerabilities
- Sub-domain takeovers
- Blind Cross-Site Scripting (XSS)
- Training, documentation, and community sites related to Dynamics 365 or Power Apps products are not in scope for bounty awards, including but not limited to:
- experience.dynamics.com
- community.dynamics.com
- Vulnerability patterns or categories for which Microsoft is actively investigating broad mitigations. As of June 2023, for example, these include, without limitation:
- Dependency Confusion issues
We reserve the right to reject any submission that we determine, in our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty.
ADDITIONAL INFORMATION
For additional information, please see our FAQ.
- If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission.
- If a duplicate report provides us with new information that was previously unknown to Microsoft, we may award a differential to the duplicate submission.
- If a submission is potentially eligible for multiple bounty programs, you will receive the single highest payout award from a single bounty program
- Microsoft reserves the right to reject any submission at our sole discretion that we determine does not meet these criteria.
REVISION HISTORY
- July 17, 2019: Program launched.
- July 29, 2019: Documentation and training domains moved out of scope, including experience.dynamics.com and community.dynamics.com.
- October 13, 2021: Added Power Platform scope and rebranded program name.
- October 19, 2021: Added clarity to In Scope Vulnerabilities section.
- February 24, 2022: Added clarification that vulnerabilities addressed via product documentation updates are out of scope.
- April 14, 2022: Added high impact scenario award for Dynamics 365 and Power Platform.
- May 3, 2022: Added additional getting started material for Power Platform.
- June 1, 2022: Updated product names in “Dynamics 365 In-Scope Services and Products”.
- April 20, 2023: Updated product name for “Power Portals” to “Power Pages”.
- June 1, 2023: Added Dependency Confusion issues to Out-of-Scope.
- February 14, 2024: Added additional High Impact Scenarios
- July 23, 2024: Updated Rules of Engagement and Out of Scoped Blind XSS
- November 19, 2024: Added temporary Zero Day Quest Award Multipliers for eligible security impacts and high impact scenarios.