Microsoft Announces ‘Identity Bounty Program’ for Discovering Serious Vulnerabilities in its Identity Services

On Tuesday July 17th, Microsoft announced its Identity Bounty Program which places a premium reward for bug researchers and hunters who discover any security related vulnerabilities in its identity services.

According to Phillip Misner, Principal Security Group Manager of Microsoft Security Response Center, Microsoft has heavily invested in privacy and security of its consumer and enterprise identity solutions and has focused on constant improvement of strong authentication, secure sign in sessions, API security and such critical infrastructure related tasks. He commented, “We have strongly invested in the creation, implementation, and improvement of identity-related specifications that foster strong authentication, secure sign-on, sessions, API security, and other critical infrastructure tasks, as part of the community of standards experts within official standards bodies such as IETF, W3C, or the OpenID Foundation.”

This program has been launched to ensure that this critical technology remains as secure as possible for the users. It offers the bug and security researchers the chance for disclosing vulnerabilities in the identity services to Microsoft privately. This will allow the company to resolve the problem before the publishing of its technical details.

Pay Out Details

The payouts for this bounty program will range from $500 to $100,000 which depends on the impact of the bug that the researchers have found.

 High Quality SubmissionBaseline Quality SubmissionIncomplete Submission
Significant Authentication BypassUp to $40,000Up to $10,000From $1,000
Multi-factor Authentication BypassUp to $100,000Up to $50,000From $1,000
Standards design vulnerabilitiesUp to $100,000Up to $30,000From $2,500
Standards-based implementation vulnerabilitiesUp to $75,000Up to $25,000From $2,500
Cross-Site Scripting (XSS)Up to $10,000Up to $4,000From $1,000
Cross-Site Request Forgery (CSRF)Up to $20,000Up to $5,000From $500
Authorization FlawUp to $8,000Up to $4,000From $500

Criteria for an Eligible Submission

The vulnerability submissions sent to Microsoft must meet the given criteria:

  • Identify an original and previously unreported critical or important vulnerability that reproduces in our Microsoft Identity services that are listed within scope.
  • Identify an original and previously unreported vulnerability that results in the taking over of a Microsoft Account or Azure Active Directory Account.
  • Identify an original and previously unreported vulnerability in listed OpenID standards or with the protocol implemented in our certified products, services, or libraries.
  • Submit against any version of Microsoft Authenticator application, but bounty awards will only be paid if the bug reproduces against the latest, publicly available version.
  • Include a description of the issue and concise reproducibility steps that are easily understood. (This allows submissions to be processed as quickly as possible and supports the highest payment for the type of vulnerability being reported.)
  • Include the impact of the vulnerability
  • Include an attack vector if not obvious
  • For mobile applications, vulnerability research must be reproduced on the latest and updated version of the mobile OS and app.

Also, the discovered bug must impact any one of the following tools:

  • Microsoft Authenticator (iOS and Android applications)*
  • OpenID Foundation – The OpenID Connect Family
    • OpenID Connect Core
    • OpenID Connect Discovery
    • OpenID Connect Session
    • OAuth 2.0 Multiple Response Types
    • OAuth 2.0 Form Post Response Types

The program makes sense, given that it has millions of registered users all over the world.

More details on the program including payment criteria, prohibited research security methods and criteria for ineligible submissions can be obtained here.

Maira Ahmed
Maira is an ardent follower of the technological world. She loves reading and writing about tech-related stuff. Her love for technology translates into passionate writing about different topics which elucidate the importance that technology and computers hold in our lives.

Expert Tip

Microsoft Announces ‘Identity Bounty Program’ for Discovering Serious Vulnerabilities in its Identity Services

If the issue is with your Computer or a Laptop you should try using Restoro which can scan the repositories and replace corrupt and missing files. This works in most cases, where the issue is originated due to a system corruption. You can download Restoro by clicking the Download button below.

Download Now

I'm not interested