Microsoft Starts Identity Bounty Program with Payouts up to $100,000

Microsoft is initiating a bug bounty program that is focused on customer security. The program is called Identity Bounty Program and it will offer bounties ranging from $500 to $100,000 for unveiling security vulnerability in the company’s identity services.

What Is Microsoft’s Identity Bounty Program All About

As announced in a blog post by Philip Misner, Microsoft’s Principal Security Group Manager, the company has “strongly invested in the creation, implementation and improvement of identity-related specifications that foster strong authentication, secure sign-on, sessions, API security, and other critical infrastructure tasks, as part of the community of standards experts within official standards bodies such as IETF, W3C, or the OpenID Foundation”. He also commented that the security of customers’ digital identities in accessing service online is more significant than ever.

In addition, the Identity Bounty Program is giving the opportunity to security researchers to disclose flaws in identity services in a private manner, allowing Microsoft to resolve the disclosed issues prior to publishing technical details. The bounty program should also be extended to specific implementations of select OpenID standards.

As usual, the bug bounty program has certain criteria that should be met for the submission to be accepted:

– Identify an original and previously unreported critical or important vulnerability that reproduces in our Microsoft Identity services that are listed within scope;
– Identify an original and previously unreported vulnerability that results in the taking over of a Microsoft Account or Azure Active Directory Account;
– Identify an original and previously unreported vulnerability in listed OpenID standards or with the protocol implemented in our certified products, services, or libraries;
– Submit against any version of Microsoft Authenticator application, but bounty awards will only be paid if the bug reproduces against the latest, (Read more...)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum | authored by Milena Dimitrova. Read the original post at: