Microsoft announced its Identity Bounty Program through which security researchers can earn up to $100,000 for an eligible submission.
On 17 July, Microsoft Security Response Center (MSRC) unveiled the creation of a new bug bounty program to help it remediate vulnerabilities affecting its Identity services.
Phillip Misner, principal security group manager of MSRC, noted that security today depends largely upon protecting a customer’s digital identity. This helps explain Microsoft’s commitment to identity-based solutions, as Misner said in a blog post:
Modern security depends today on collaborative communication of identities and identity data within and across domains. A customer’s digital identity is often the key to accessing services and interacting across the internet. Microsoft has invested heavily in the security and privacy of both our consumer (Microsoft Account) and enterprise (Azure Active Directory) identity solutions. We have strongly invested in the creation, implementation, and improvement of identity-related specifications that foster strong authentication, secure sign-on, sessions, API security, and other critical infrastructure tasks, as part of the community of standards experts within official standards bodies such as IETF, W3C, or the OpenID Foundation. In recognition of that strong commitment to our customer’s security we are launching the Microsoft Identity Bounty Program.
According to its terms and conditions, the Microsoft Identity Bounty Program welcomes reports detailing previous unreported critical or important vulnerabilities that affects one of its in-scope Identity services. Those include account.live.com and Microsoft’s mobile Authenticator app, amongst others, as well as several standards such as OpenID Connect Core and OAuth 2.0 Form Post Response Types. Certain issues such as reports from automated scans, denial-of-service (DoS) flaws and vulnerabilities likely requiring user interaction aren’t in scope.
When it comes to the rewards security researchers can receive for an eligible submission, the amounts vary widely. Participants can expect (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by David Bisson. Read the original post at: https://www.tripwire.com/state-of-security/vulnerability-management/researchers-can-earn-up-to-100k-via-microsoft-identity-bounty-program/