Microsoft offers new bounty for identity services bugs
Microsoft is offering payouts as high as $100,000 for flaws in identity services and implementations of the OpenID standard. The bounty is part of Microsoft's array of digital identity solutions, which offers strong authentication, secure sign-in sessions and API security. Those solutions include Microsoft Account and Azure Active Directory, which offer identity and access capabilities for both consumer and enterprise applications as well as its OpenID authentication protocol. In the announcment, Microsoft stated that "If you are a security researcher and have discovered a security vulnerability in the identity services, we appreciate your help in disclosing it to us privately and giving us an opportunity to fix it before publishing technical details." Phillip Msner, principal security group manager added that "Further in our commitment to the industry identity standards work that we have worked hard with the community to define, we are extending our bounty to cover those certified implementations of select OpenID standards."
According to Microsoft, rewards between $500 to $100,000 are available for a significant authentication bypass, multi-factor authentication bypass, standards-based implementation vulnerabilities, cross-site scripting, cross-site request forgery or an authorization flaw. Identity services are a crucial component and security vulnerabilities in these services can have a very high impact on platforms. The payouts are very high which may be a big success for the bug bounty program. Bug bounty hunters will be attracted to this type of program since anything that they find could have a higher impact than on usual services. The payouts will be awarded for submissions varying from incomplete to baseline quality and all the way up to high quality submissions that will take the top awards. A high-quality, multi-factor authentication bypass submission can win someone $100,000.
Payout amounts are based on the quality of the report and the security impact of the vulnerability according to Microsoft. Researchers are encouraged to provide as much data at the time of submission to increase the chances of a higher payout. In order to be eligible, vulnerability submissions must identify an original and previously unreported critical or important vulnerability in Microsoft Identity services such as listed OpenID standards or with the protocol implemented in certified products, services or libraries. Vulnerabilities can be submitted against any version of the Microsoft Authenticator application, but bounty awards will only be paid if the bug reproduces against the latest, publicly available version.
Bug-bounty submissions are available for the following Microsoft websites and products: activedirectory.windowsazure.com, live.com, Microsoft Authenticator, microsoftonline.com, office.com, OpenID Foundation's OpenID Connect Family, windows.net and windowsazure.com. Submissions should include a description of the issue and concise reproducibility steps that are easily understood, along with the impact of the vulnerability and an attack. Microsoft already has an array of bounty programs looking to squash bugs in other products, including for online services, Windows Server and Microsoft Edge. In March, the company launched a new program targeting speculative execution side channel vulnerabilities.