“Bug bounty” schemes are one way for software firms to encourage people to tell them about vulnerabilities rather than exploiting them. Microsoft has expanded its own bug bounty scheme to include its online services, kicking off with a minimum payment of $500 for any identified major security bugs in Office 365.
To qualify, the vulnerability must be on a specified list of Microsoft-hosted domains for Office 365 and related services. You also have to be over 14, which is bad news for security experts in training. Hit the announcement blog post for more details.