Microsoft’s Identity Bounty program payouts up to $100,000 for bugs in its identity solutions as well as bugs in select OpenID standards.
Microsoft launched a new bug bounty program specifically aimed at identity services with bounty payouts ranging from $500 to $100,000.
Microsoft’s Identity Bounty program will reward researchers for finding eligible bugs in not only its identity solutions but also for security vulnerabilities in “certified implementations of select OpenID standards.”
Microsoft’s Principal Security Group Manager Phillip Misner announced the new program on the Microsoft Security Response Center (MSRC) blog.
Modern security depends today on collaborative communication of identities and identity data within and across domains. A customer’s digital identity is often the key to accessing services and interacting across the internet. Microsoft has invested heavily in the security and privacy of both our consumer (Microsoft Account) and enterprise (Azure Active Directory) identity solutions. We have strongly invested in the creation, implementation, and improvement of identity-related specifications that foster strong authentication, secure sign-on, sessions, API security, and other critical infrastructure tasks, as part of the community of standards experts within official standards bodies such as IETF, W3C, or the OpenID Foundation. In recognition of that strong commitment to our customer’s security we are launching the Microsoft Identity Bounty Program.
Vulnerability submissions which are eligible for a payout are required to meet certain criteria:
The scope of the bugs which affect Microsoft’s identity services are listed as those that impact:
For ID bugs in non-Microsoft products, the scope is:
There are eight types of bugs which can be reported, with high-quality reports having the biggest payout.
Microsoft explained, “A high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write up containing any required background information, a description of the bug, and a proof of concept. We recognize that some issues are extremely difficult to reproduce and understand, and this will be considered when adjudicating the quality of a submission.”
The highest payout possible is for multi-factor authentication bypass as a high-quality bug report could result in up to $100,000, a baseline quality submission could result in a payout of up to $50,000 and an incomplete submission is listed as from $1,000.
Standard design vulnerabilities have the next highest payout of up to $100,000 for high-quality submissions, up to $30,000 for baseline quality and from $2,500 for incomplete submissions.
The third highest rewarded bugs are standards-based implementation vulnerabilities which could payout up to $75,000, up to $25,000 for baseline quality and from $2,500 for incomplete reports.
The other five types of bugs which can be reported, in order of how a high-quality vulnerability would payout, are: significant authentication bypass, cross-site request forgery (CSRF), cross-site scripting (XSS), authorization flaw and sensitive data exposure.
Go forth and conquer security researchers. In the words of Misner, “Happy hunting!”