Microsoft Starts Identity Bounty Program with Payouts up to $100,000
CYBER NEWS

Microsoft Starts Identity Bounty Program with Payouts up to $100,000

Microsoft is initiating a bug bounty program that is focused on customer security. The program is called Identity Bounty Program and it will offer bounties ranging from $500 to $100,000 for unveiling security vulnerability in the company’s identity services.




What Is Microsoft’s Identity Bounty Program All About

As announced in a blog post by Philip Misner, Microsoft’s Principal Security Group Manager, the company has “strongly invested in the creation, implementation and improvement of identity-related specifications that foster strong authentication, secure sign-on, sessions, API security, and other critical infrastructure tasks, as part of the community of standards experts within official standards bodies such as IETF, W3C, or the OpenID Foundation”. He also commented that the security of customers’ digital identities in accessing service online is more significant than ever.

In addition, the Identity Bounty Program is giving the opportunity to security researchers to disclose flaws in identity services in a private manner, allowing Microsoft to resolve the disclosed issues prior to publishing technical details. The bounty program should also be extended to specific implementations of select OpenID standards.

Related Story: Too Little, Too Late: Facebook Launches Data Abuse Bounty

As usual, the bug bounty program has certain criteria that should be met for the submission to be accepted:

– Identify an original and previously unreported critical or important vulnerability that reproduces in our Microsoft Identity services that are listed within scope;
– Identify an original and previously unreported vulnerability that results in the taking over of a Microsoft Account or Azure Active Directory Account;
– Identify an original and previously unreported vulnerability in listed OpenID standards or with the protocol implemented in our certified products, services, or libraries;
– Submit against any version of Microsoft Authenticator application, but bounty awards will only be paid if the bug reproduces against the latest, publicly available version;
– Include a description of the issue and concise reproducibility steps that are easily understood. (This allows submissions to be processed as quickly as possible and supports the highest payment for the type of vulnerability being reported.);
– Include the impact of the vulnerability;
– Include an attack vector if not obvious.

In addition, Microsoft has also revealed the login and authentication tools included in this program:

login.windows.net
login.microsoftonline.com
login.live.com
account.live.com
account.windowsazure.com
account.activedirectory.windowsazure.com
credential.activedirectory.windowsazure.com
portal.office.com
passwordreset.microsoftonline.com
Microsoft Authenticator (iOS and Android applications)

It should be noted that for mobile applications, the discovered vulnerability must reproduce on the latest version of the particular app and the mobile operating system.

As for the payouts, higher amounts are typically given to researchers who have provided high quality reports with sufficient amount of data. Vulnerability reports with higher impact are also paid more money. On the contrary, flaws that require user interaction to be exploited will be rewarded with lower payouts. In cases where a single vulnerability has been reported by different researchers, the payout is given to the first submission.

Related Story: July 2018 Patch Tuesday Fixes CVE-2018-8281, Microsoft Office Bugs

If you are interested in the Identity Bounty Program and want to learn more about it, make sure to read the full description offered by Microsoft.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...