Microsoft’s new bounty program pays up to $100,000 for finding bugs in its Identity Services
Microsoft on Tuesday announced a new bug bounty program for bug hunters and security researchers that focuses on protecting consumer data online.
For those unaware, a digital identity is the body of information about an individual, organization or electronic device that exists online. Digital identities of customers are usually the key to accessing enterprise applications and services and interacting across the Internet.
Phillip Misner, Microsoft’s Principal Security Group Manager, in a blog post noted that the company has heavily invested in the “creation, implementation, and improvement of identity-related specifications that foster strong authentication, secure sign-on, sessions, API security, and other critical infrastructure tasks, as part of the community of standards experts within official standards bodies such as IETF, W3C, or the OpenID Foundation.”
Therefore, in order to improve the security of its identity solutions Microsoft has launched a new bug bounty program called the ‘Identity Bounty Program’. In this program, hackers and security researchers can earn payouts ranging from $500 to $100,000, if they are able to find vulnerabilities in Microsoft’s “digital identity services”.
While the new bug bounty program covers Microsoft Account (consumer) and Azure Active Directory (enterprise) identity solutions, it is also extended to certain implementations of select OpenID standards as well.
Under the Identity Bounty Program, the researchers will get an opportunity to disclose security vulnerabilities in the identity services to Microsoft privately and also fix the issue before publishing technical details and get rewarded for the same.
“If you are a security researcher and have discovered a security vulnerability in the Identity services, we appreciate your help in disclosing it to us privately and giving us an opportunity to fix it before publishing technical details,” wrote Misner.
“Submissions for standards protocol or implementation bounties need to be with a fully ratified identity standard in the scope of this bounty and have discovered a security vulnerability with the protocol implemented in our certified products, services, or libraries.”
The following criteria(s) are required to be met while submitting eligible vulnerabilities for a payout:
- Identify an original and previously unreported critical or important vulnerability that reproduces in Microsoft Identity services that are listed within scope.
- Identify an original and previously unreported vulnerability that results in the taking over of a Microsoft Account or Azure Active Directory Account.
- Identify an original and previously unreported vulnerability in listed OpenID standards or with the protocol implemented in our certified products, services, or libraries.
- Submit against any version of Microsoft Authenticator application, but bounty awards will be paid only if the bug reproduces against the latest, publicly available version.
- Include a description of the issue and concise reproducibility steps that are easily understood. (This allows submissions to be processed as quickly as possible and supports the highest payment for the type of vulnerability being reported.)
- Include the impact of the vulnerability.
- Include an attack vector if not obvious.
The following login and authentication tools are included in the scope of this program:
- windows.net
- microsoftonline.com
- live.com
- live.com
- windowsazure.com
- activedirectory.windowsazure.com
- activedirectory.windowsazure.com
- office.com
- microsoftonline.com
- Microsoft Authenticator (iOS and Android applications)
Please note that the vulnerability research must reproduce on the latest version of the application and mobile operating system.
For ID bugs in non-Microsoft products, the scope is:
- OpenID Foundation – The OpenID Connect Family
- OpenID Connect Core
- OpenID Connect Discovery
- OpenID Connect Session
- OAuth 2.0 Multiple Response Types
- OAuth 2.0 Form Post Response Types
- Microsoft products and services Certified Implementations listed under OpenID certification
As mentioned earlier, rewards for submissions that qualify for a bounty range from $500 up to $100,000, which are available for a significant authentication bypass, multi-factor authentication bypass, standards-based implementation vulnerabilities, cross-site scripting (XSS), cross-site request forgery (CSRF), authorization flaw, and sensitive data exposure.
The payouts will be awarded for submissions varying from incomplete to baseline quality to high quality submissions that will take the top reward. For example, a researcher can earn $100,000 for high-quality multi-factor authentication bypass submission.
Higher payouts are given based on the quality of the report and the security impact of the vulnerability, Microsoft said. “Security researchers are encouraged to provide as much data at the time of submission to be more likely of the highest payout possible,” said the company. “We typically reward lower amounts for vulnerabilities that require significant user interaction.”
To find out more about the Identity Bounty Program, visit Microsoft’s official site.
