Hacking into networks and stealing data have become common and easier than ever but not all data holds the same business value or carries the same risk.
Since new security today depends on the collaborative communication of identities and identity data within, and across domains, digital identities of customers are usually the key to accessing services and interacting across the Internet.
Microsoft said the company has heavily invested in the "creation, implementation, and improvement of identity-related specifications" that encourage "strong authentication, secure sign-on, sessions, API security, and other critical infrastructure tasks."
Therefore, to further bolster its customers' security, the tech giant has launched an all-new, and independent bug bounty program.
Dubbed Microsoft Identity Bounty Program, the newly-launched bug bounty program covers Microsoft Account and Azure Active Directory identity solutions, as well as some implementations of the OpenID specifications.
The payouts for the new Microsoft Identity Bounty Program range from $500 to $100,000, depending upon the impact of security researchers and bug hunters find.
"If you are a security researcher and have discovered a security vulnerability in the Identity services, we appreciate your help in disclosing it to us privately and giving us an opportunity to fix it before publishing technical details," wrote Phillip Misner, Principal Security Group Manager.
"Submissions for standards protocol or implementation bounties need to be with a fully ratified identity standard in the scope of this bounty and have discovered a security vulnerability with the protocol implemented in our certified products, services, or libraries."
Microsoft's Identity Bounty Program
To be eligible for payouts from Microsoft, you will need to meet the following criteria:
- Identify an original and previously unreported critical or important flaw that reproduces in Microsoft's Identity services listed within scope.
- Identify an original and previously unreported flaw that results in the taking over of a Microsoft Account or Azure Active Directory Account.
- Identify an original and previously unreported flaw in listed OpenID standards or with the protocol implemented in Microsoft's certified products, services, or libraries.
- Submit against any version of Microsoft Authenticator application, but bounty awards will only be paid if the vulnerability reproduces against the latest, publicly available version.
- Include a description of the issue you found and concise reproducibility steps that are easily understood. (This allows submissions to be processed quickly and supports the highest payment for the type of vulnerability being reported.)
- Include the impact of the vulnerability.
- Include an attack vector if not obvious.
Also, the vulnerability must impact one of the following login tools:
- Microsoft Authenticator for iOS and Android applications
Lower amounts are typically given for vulnerabilities that require significant user interaction.