Microsoft has created bug bounty programs for many of its services in the past few years. Now, the tech giant has announced a similar initiative that will be focussed towards customer security. Dubbed the Identity Bounty Program, it will offer payouts ranging from $500 to $100,000 for discovering security vulnerabilities in identity services.
In a blog post, Phillip Misner, Microsoft's Principal Security Group Manager, noted the significance of a customer's digital identity in accessing services all over the internet. He also commented on the company's efforts towards the protection of consumer and enterprise privacy, noting:
We have strongly invested in the creation, implementation, and improvement of identity-related specifications that foster strong authentication, secure sign-on, sessions, API security, and other critical infrastructure tasks, as part of the community of standards experts within official standards bodies such as IETF, W3C, or the OpenID Foundation.
The Identity Bounty Program offers security researchers an opportunity to disclose vulnerabilities in identity services privately to Microsoft, allowing them to resolve the issue before publishing any technical details. Interestingly, the bounty will be extended to certain implementations of select OpenID standards as well.
The following criteria will need to be fulfilled in order to constitute a submission as eligible:
- Identify an original and previously unreported critical or important vulnerability that reproduces in our Microsoft Identity services that are listed within scope.
- Identify an original and previously unreported vulnerability that results in the taking over of a Microsoft Account or Azure Active Directory Account.
- Identify an original and previously unreported vulnerability in listed OpenID standards or with the protocol implemented in our certified products, services, or libraries.
- Submit against any version of Microsoft Authenticator application, but bounty awards will only be paid if the bug reproduces against the latest, publicly available version.
- Include a description of the issue and concise reproducibility steps that are easily understood. (This allows submissions to be processed as quickly as possible and supports the highest payment for the type of vulnerability being reported.)
- Include the impact of the vulnerability
- Include an attack vector if not obvious
The login and authentication tools included in the scope of this program are as follows:
- Microsoft Authenticator (iOS and Android applications)
Note that for mobile applications, the vulnerability research must reproduce on the latest version of the app and the mobile OS.
As stated before, the bounty for eligible submissions will range from $500 to $100,000. Generally in these programs, higher payouts are given on the basis of the quality of the report, the amount of data provided at the time of submission, and the security impact of the vulnerability. On the other hand, issues that require significant user interaction are typically rewarded with lower amounts. In case the company receives multiple reports regarding the same issue from different parties, the payout is awarded to the first submission.
Given that Microsoft has millions of registered users worldwide, it makes sense that the tech giant is offering bounties for bugs located within its identity services. Further details regarding ineligible submissions, prohibited security research methods, payment criteria, and services considered out of the scope of the program can be obtained here.