Microsoft offers bug bounties for holes in its identity services

Microsoft is asking security researchers to look for and report technical vulnerabilities affecting its identity services and OpenID standards implementations, and is offering bug bounties that can reach as high as $100,000.

Microsoft identity services bugs

“Microsoft has invested heavily in the security and privacy of both our consumer (Microsoft Account) and enterprise (Azure Active Directory) identity solutions. We have strongly invested in the creation, implementation, and improvement of identity-related specifications that foster strong authentication, secure sign-on, sessions, API security, and other critical infrastructure tasks, as part of the community of standards experts within official standards bodies such as IETF, W3C, or the OpenID Foundation,” the company explained.

“The Microsoft Identity Bounty Program places a premium on security research into this critical technology that powers both consumer and enterprise services. Further in our commitment to the industry identity standards work that we have worked hard with the community to define, we are extending our bounty to cover those certified implementations of select OpenID standards.”

About the Microsoft Identity Bounty Program

The bug hunters are directed to search for vulnerabilities in:

  • login.windows.net
  • login.microsoftonline.com
  • login.live.com
  • account.live.com
  • account.windowsazure.com
  • account.activedirectory.windowsazure.com
  • credential.activedirectory.windowsazure.com
  • portal.office.com
  • passwordreset.microsoftonline.com
  • Microsoft Authenticator (iOS and Android applications – the research must reproduce on the latest version of the application and mobile operating system)
  • The OpenID Connect standards
  • Microsoft products and services Certified Implementations listed here.

Microsoft won’t be handing out rewards for reports from automated tools or scans, DoS issues, two-factor authentication bypass that requires physical access to a logged-in device, etc.

The biggest rewards are reserved for standards design vulnerabilities and multi-factor authentication bypass flaws.

aa

As is usual in these types of programs, the higher the quality of the report, the higher the handed out amount of the bounty.

“A high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write up containing any required background information, a description of the bug, and a proof of concept,” Microsoft noted.

“We recognize that some issues are extremely difficult to reproduce and understand, and this will be considered when adjudicating the quality of a submission.”

The company has also explained how to create test accounts so that is obvious for the company that they are being used for the bug bounty program.