On Tuesday July 17th, Microsoft announced its Identity Bounty Program which places a premium reward for bug researchers and hunters who discover any security related vulnerabilities in its identity services.
According to Phillip Misner, Principal Security Group Manager of Microsoft Security Response Center, Microsoft has heavily invested in privacy and security of its consumer and enterprise identity solutions and has focused on constant improvement of strong authentication, secure sign in sessions, API security and such critical infrastructure related tasks. He commented, “We have strongly invested in the creation, implementation, and improvement of identity-related specifications that foster strong authentication, secure sign-on, sessions, API security, and other critical infrastructure tasks, as part of the community of standards experts within official standards bodies such as IETF, W3C, or the OpenID Foundation.”
This program has been launched to ensure that this critical technology remains as secure as possible for the users. It offers the bug and security researchers the chance for disclosing vulnerabilities in the identity services to Microsoft privately. This will allow the company to resolve the problem before the publishing of its technical details.
Pay Out Details
The payouts for this bounty program will range from $500 to $100,000 which depends on the impact of the bug that the researchers have found.
|High Quality Submission||Baseline Quality Submission||Incomplete Submission|
|Significant Authentication Bypass||Up to $40,000||Up to $10,000||From $1,000|
|Multi-factor Authentication Bypass||Up to $100,000||Up to $50,000||From $1,000|
|Standards design vulnerabilities||Up to $100,000||Up to $30,000||From $2,500|
|Standards-based implementation vulnerabilities||Up to $75,000||Up to $25,000||From $2,500|
|Cross-Site Scripting (XSS)||Up to $10,000||Up to $4,000||From $1,000|
|Cross-Site Request Forgery (CSRF)||Up to $20,000||Up to $5,000||From $500|
|Authorization Flaw||Up to $8,000||Up to $4,000||From $500|
Criteria for an Eligible Submission
The vulnerability submissions sent to Microsoft must meet the given criteria:
- Identify an original and previously unreported critical or important vulnerability that reproduces in our Microsoft Identity services that are listed within scope.
- Identify an original and previously unreported vulnerability that results in the taking over of a Microsoft Account or Azure Active Directory Account.
- Identify an original and previously unreported vulnerability in listed OpenID standards or with the protocol implemented in our certified products, services, or libraries.
- Submit against any version of Microsoft Authenticator application, but bounty awards will only be paid if the bug reproduces against the latest, publicly available version.
- Include a description of the issue and concise reproducibility steps that are easily understood. (This allows submissions to be processed as quickly as possible and supports the highest payment for the type of vulnerability being reported.)
- Include the impact of the vulnerability
- Include an attack vector if not obvious
- For mobile applications, vulnerability research must be reproduced on the latest and updated version of the mobile OS and app.
Also, the discovered bug must impact any one of the following tools:
- Microsoft Authenticator (iOS and Android applications)*
- OpenID Foundation – The OpenID Connect Family
- OpenID Connect Core
- OpenID Connect Discovery
- OpenID Connect Session
- OAuth 2.0 Multiple Response Types
- OAuth 2.0 Form Post Response Types
The program makes sense, given that it has millions of registered users all over the world.
More details on the program including payment criteria, prohibited research security methods and criteria for ineligible submissions can be obtained here.