Microsoft Bug Bounty Program
Microsoft today launched a new bug bounty program for bug hunters and researchers finding security vulnerabilities in its "identity services."

Hacking into networks and stealing data have become common and easier than ever but not all data holds the same business value or carries the same risk.

Since new security today depends on the collaborative communication of identities and identity data within, and across domains, digital identities of customers are usually the key to accessing services and interacting across the Internet.

Microsoft said the company has heavily invested in the "creation, implementation, and improvement of identity-related specifications" that encourage "strong authentication, secure sign-on, sessions, API security, and other critical infrastructure tasks."
Cybersecurity

Therefore, to further bolster its customers' security, the tech giant has launched an all-new, and independent bug bounty program.

Dubbed Microsoft Identity Bounty Program, the newly-launched bug bounty program covers Microsoft Account and Azure Active Directory identity solutions, as well as some implementations of the OpenID specifications.

The payouts for the new Microsoft Identity Bounty Program range from $500 to $100,000, depending upon the impact of security researchers and bug hunters find.
"If you are a security researcher and have discovered a security vulnerability in the Identity services, we appreciate your help in disclosing it to us privately and giving us an opportunity to fix it before publishing technical details," wrote Phillip Misner, Principal Security Group Manager.
"Submissions for standards protocol or implementation bounties need to be with a fully ratified identity standard in the scope of this bounty and have discovered a security vulnerability with the protocol implemented in our certified products, services, or libraries."

Microsoft's Identity Bounty Program

bug bounty
If you want to take part in the Microsoft Identity Bounty program, you'll need to offer high-quality submissions that reflect the research that you put into your finding, and share your knowledge and expertise with Microsoft developers and engineers, so they can quickly reproduce, understand, and fix the issue.
Cybersecurity

To be eligible for payouts from Microsoft, you will need to meet the following criteria:

  • Identify an original and previously unreported critical or important flaw that reproduces in Microsoft's Identity services listed within scope.
  • Identify an original and previously unreported flaw that results in the taking over of a Microsoft Account or Azure Active Directory Account.
  • Identify an original and previously unreported flaw in listed OpenID standards or with the protocol implemented in Microsoft's certified products, services, or libraries.
  • Submit against any version of Microsoft Authenticator application, but bounty awards will only be paid if the vulnerability reproduces against the latest, publicly available version.
  • Include a description of the issue you found and concise reproducibility steps that are easily understood. (This allows submissions to be processed quickly and supports the highest payment for the type of vulnerability being reported.)
  • Include the impact of the vulnerability.
  • Include an attack vector if not obvious.

Also, the vulnerability must impact one of the following login tools:
  • login.windows.net
  • login.microsoftonline.com
  • login.live.com
  • account.live.com
  • account.windowsazure.com
  • account.activedirectory.windowsazure.com
  • credential.activedirectory.windowsazure.com
  • portal.office.com
  • passwordreset.microsoftonline.com
  • Microsoft Authenticator for iOS and Android applications
Higher payouts are given to the researchers based on the quality of their report and the security impact of the vulnerability they found.

Lower amounts are typically given for vulnerabilities that require significant user interaction.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.