Microsoft is initiating a bug bounty program that is focused on customer security. The program is called Identity Bounty Program and it will offer bounties ranging from $500 to $100,000 for unveiling security vulnerability in the company’s identity services.
What Is Microsoft’s Identity Bounty Program All About
As announced in a blog post by Philip Misner, Microsoft’s Principal Security Group Manager, the company has “strongly invested in the creation, implementation and improvement of identity-related specifications that foster strong authentication, secure sign-on, sessions, API security, and other critical infrastructure tasks, as part of the community of standards experts within official standards bodies such as IETF, W3C, or the OpenID Foundation”. He also commented that the security of customers’ digital identities in accessing service online is more significant than ever.
In addition, the Identity Bounty Program is giving the opportunity to security researchers to disclose flaws in identity services in a private manner, allowing Microsoft to resolve the disclosed issues prior to publishing technical details. The bounty program should also be extended to specific implementations of select OpenID standards.
As usual, the bug bounty program has certain criteria that should be met for the submission to be accepted:
– Identify an original and previously unreported critical or important vulnerability that reproduces in our Microsoft Identity services that are listed within scope;
– Identify an original and previously unreported vulnerability that results in the taking over of a Microsoft Account or Azure Active Directory Account;
– Identify an original and previously unreported vulnerability in listed OpenID standards or with the protocol implemented in our certified products, services, or libraries;
– Submit against any version of Microsoft Authenticator application, but bounty awards will only be paid if the bug reproduces against the latest, publicly available version;
– Include a description of the issue and concise reproducibility steps that are easily understood. (This allows submissions to be processed as quickly as possible and supports the highest payment for the type of vulnerability being reported.);
– Include the impact of the vulnerability;
– Include an attack vector if not obvious.
In addition, Microsoft has also revealed the login and authentication tools included in this program:
Microsoft Authenticator (iOS and Android applications)
It should be noted that for mobile applications, the discovered vulnerability must reproduce on the latest version of the particular app and the mobile operating system.
As for the payouts, higher amounts are typically given to researchers who have provided high quality reports with sufficient amount of data. Vulnerability reports with higher impact are also paid more money. On the contrary, flaws that require user interaction to be exploited will be rewarded with lower payouts. In cases where a single vulnerability has been reported by different researchers, the payout is given to the first submission.
If you are interested in the Identity Bounty Program and want to learn more about it, make sure to read the full description offered by Microsoft.