Microsoft MSRC Quarterly Leaderboard from my security bug reports submitted.
Table of Contents
— Part 0 — Whoami? — Part 1 — Selecting a program — Part 2 — Let the hunt begin! — Part 3 — Reporting — Part 4 — Claims the Rewards — Disclosure Timelines
Hello, I am Supakiad Satuwan, a Security Consultant from Thailand. In this article, I will go through the story of my first valid bug found on Microsoft bug bounty program. This has given me an opportunity to be ranked in MSRC 2022 Q3 Security Researcher Leaderboard. Let’s get started!
What is MSRC?
The Microsoft Security Response Center(MSRC) is part of the microsoft defender community and on the front line of microsoft security response evolution. This platform engaged with security researchers working to protect Microsoft’s customers and the broader ecosystem. For more details: Microsoft Security Response Center
Microsoft Dynamics 365 and Power Platform
Analyzing the target
I started the hunt on Power Apps Platform.
While analyzing the Power Apps Platform and the applications on it, I noticed that an application sent requests to https://apps.powerapps.com
It caught my attention. Therefore, I navigated to the following URL:
After opening the link, the XSS payload was executed as shown in the image below.
PoC
After discovering and confirming that the target was vulnerable to Cross-site Scripting (XSS), I immediately began the reporting process through MSRC portal. This consists of the following steps:
MSRC Researcher Portal (microsoft.com)
After 4 days, MSRC team replied and confirmed my report. ^_^
Within the same day, Microsoft bounty team replied that they were reviewing a possible bounty award for my vulnerability report.
After a few hours, I received great news from the MSRC team ^_^
Part 4 — Claims the Rewards
After Microsoft bounty team confirming my report eligibility for bounty rewards, they inquired about payment providers selection for bounty awards delivery.
Note: Currently, Microsoft only supports awards delivery through either Bugcrowd or Microsoft Payment Central in order to receive bounty award payments.
A few weeks later, I received an email from Bugcrowd which contains a submission claiming link from Microsoft Bug Bounty Program.
After claiming, I received my first reward from Microsoft Bug Bounty Program.
And I have been recognized on the recent quarterly leaderboard for Microsoft MSRC and will be receiving some MSRC magic swag as a reward for my achievements!
Disclosure Timelines
Sep 23, 2022 — Vulnerability Discovered and Reported through MSRC portal.
Sep 27, 2022 — MSRC team confirmed. MSRC ticket was moved to Review/Repro.
Sep 27, 2022 — MSRC status was changed from Review / Repro to Develop
Dec 1, 2022 — MSRC status was changed to Pre-Release and Complete.
Dec 23, 2022 — Public release of the security advisory.
This is my first bug bounty writeup and a part of my valid bugs found on the Microsoft bounty program. I hope you enjoy the story. Thank you for reading.
Special thanks to Suphitcha Worasing for reviewing the content and grammar.
Any comments and suggestions will be appreciated ^_^