However, these rules of engagement prohibit red teamers from using or accessing credentials that aren’t their own, launching phishing attacks against Microsoft employees, performing denial-of-service testing or other testing that generates excessive traffic, or interacting with storage accounts not included in a user’s own subscription.
Pros and cons to the approach
This widening of scope isn’t necessarily new, noted Info-Tech’s Avakian, though cloud service providers (CSPs), financial institutions, and SaaS companies publish narrower scope language and handle many cases through back-channel negotiation. But much of this still relies heavily on researcher goodwill and internal judgment calls.
Microsoft’s wider scope is a bit different, and could result in fewer gray-area arguments and the “is this in scope?” back-and-forth questioning that can expend time and create friction with researchers, said Avakian. It also provides better signaling: If people don’t fear disqualification, they’re more likely to submit early-stage findings. This is great for defenders and can foster stronger trust in the research community.