InfoSecBulletin Cybersecurity for mankind
Microsoft has announced a major expansion of its Microsoft 365 Bounty Program. The program now covers new Viva products for identifying vulnerabilities, offering rewards up to $27,000 for critical submissions.
This update highlights Microsoft’s commitment to improving software security and promoting global collaboration in finding vulnerabilities.
10 New Vulnerabilities Discovered in MediaTek Chipsets
Qualcomm’s March 2025 Security Bulletin Highlights Major Vulns
Cyberattack detected at Polish space agency, minister says
Nearly 12,000 API Keys and Passwords Found in Public Datasets
Android Phone’s Unlocked Using Cellebrite’s Zero-day Exploit
DragonForce Ransomware Targets Saudi Company, 6TB Data Stolen
Microsoft Uncovers Hackers Selling Illegal Azure AI Access
By 2025, India’s First Semiconductor Chip to be ready
CVE-2025-20111
Cisco Warns Vulns in Nexus 3000 and 9000 Series Switches
CVE-2025-0475 & CVE-2025-0555
GitLab’s High-Risk Flaw, Patch Now Urgently!
The expanded scope introduces four new Viva products to the program:
Feature Access Control
Glint
Learning
Pulse
These additions are meant to improve the security of the Viva suite, part of Microsoft’s employee experience platform.
Viva works seamlessly with Microsoft Teams and other M365 apps, providing tools for employee engagement, learning, and productivity.
Researchers can now submit vulnerabilities in these components under the categories of “Critical” and “Important,” depending on severity.
Yammer has been rebranded as Viva Engage to unify Microsoft’s Viva product line. Bounty rewards range from $500 to $27,000 USD based on the severity and quality of vulnerability reports.
Critical vulnerabilities in new Viva products qualify for the highest reward. This encourages researchers to tackle important issues that could harm users if ignored. To be eligible for rewards, submissions must meet Microsoft’s strict criteria in their Bounty Terms and Conditions.
Technical Focus Areas:
The M365 Bounty Program encourages researchers to explore certain areas and features of Microsoft 365 services.
The addition of Viva products will likely focus vulnerability assessments on access control, data integrity, and user authentication.
The program’s goal is to identify flaws that could compromise data security or system functionality. For instance:
In Feature Access Control, researchers might examine how permissions are enforced across different user roles.
In Viva Learning, they could analyze integrations with external learning management systems (LMS) or data-sharing protocols.
Pulse and Glint, which focus on employee feedback and analytics, may require scrutiny for potential data leaks or unauthorized access vulnerabilities.
Security researchers interested in participating can visit Microsoft’s official M365 Bounty Program page for detailed guidelines.
Submissions must contain clear proof-of-concept code or steps to reproduce the vulnerability. Reports are assessed for impact, exploitability, and clarity.
Cyber threats are constantly changing, so programs like these are essential for protecting digital environments and enabling ethical hackers to contribute effectively.
