• United States



Microsoft’s Identity Bug Bounty program pays up to $100,000

Jul 18, 20184 mins

Microsoft’s new Identity Bounty program offers payouts of up to $100,000 for bugs in its identity solutions, as well as bugs in select OpenID standards.

windows bugs crashes
Credit: Thinkstock

Microsoft launched a new bug bounty program specifically aimed at identity services with bounty payouts ranging from $500 to $100,000.

Microsoft’s Identity Bounty program will reward researchers for finding eligible bugs in not only its identity solutions, but also for security vulnerabilities in “certified implementations of select OpenID standards.”

Microsoft’s Principal Security Group Manager Phillip Misner announced the new program on the Microsoft Security Response Center (MSRC) blog.

Modern security depends today on collaborative communication of identities and identity data within and across domains. A customer’s digital identity is often the key to accessing services and interacting across the internet. Microsoft has invested heavily in the security and privacy of both our consumer (Microsoft Account) and enterprise (Azure Active Directory) identity solutions. We have strongly invested in the creation, implementation, and improvement of identity-related specifications that foster strong authentication, secure sign-on, sessions, API security, and other critical infrastructure tasks, as part of the community of standards experts within official standards bodies such as IETF, W3C, or the OpenID Foundation. In recognition of that strong commitment to our customer’s security we are launching the Microsoft Identity Bounty Program.

Criteria for ID bug bounties

Vulnerability submissions that are eligible for a payout are required to meet certain criteria:

  • Identify an original and previously unreported critical or important vulnerability that reproduces in Microsoft Identity services that are listed within scope.
  • Identify an original and previously unreported vulnerability that results in the taking over of a Microsoft Account or Azure Active Directory Account.
  • Identify an original and previously unreported vulnerability in listed OpenID standards or with the protocol implemented in our certified products, services, or libraries.
  • Submit against any version of Microsoft Authenticator application, but bounty awards will be paid only if the bug reproduces against the latest, publicly available version.
  • Include a description of the issue and concise reproducibility steps that are easily understood. (This allows submissions to be processed as quickly as possible and supports the highest payment for the type of vulnerability being reported.)
  • Include the impact of the vulnerability.
  • Include an attack vector if not obvious.

Scope of bugs for Microsoft and OpenID services

The scope of the bugs that affect Microsoft’s identity services are listed as those that impact:

  • Microsoft Authenticator (iOS and Android applications) – For mobile applications the research must reproduce on the latest version of the application and mobile operating system

For ID bugs in non-Microsoft products, the scope is:

  • OpenID Foundation – The OpenID Connect Family
    • OpenID Connect Core
    • OpenID Connect Discovery
    • OpenID Connect Session
    • OAuth 2.0 Multiple Response Types
    • OAuth 2.0 Form Post Response Types
  • Microsoft products and services Certified Implementations listed under OpenID certification

The bugs and payouts

There are eight types of bugs that can be reported, with high-quality reports having the biggest payout.

Microsoft explained, “A high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write-up containing any required background information, a description of the bug, and a proof of concept. We recognize that some issues are extremely difficult to reproduce and understand, and this will be considered when adjudicating the quality of a submission.”

The highest payout possible is for multi-factor authentication bypass as a high-quality bug report could result in up to $100,000, a baseline quality submission could result in a payout of up to $50,000, and an incomplete submission is listed as from $1,000.

Standard design vulnerabilities have the next highest payout of up to $100,000 for high-quality submissions, up to $30,000 for baseline quality, and from $2,500 for incomplete submissions.

The third highest rewarded bugs are standards-based implementation vulnerabilities, which could pay up to $75,000, up to $25,000 for baseline quality, and from $2,500 for incomplete reports.

The other five types of bugs that can be reported, in order of how a high-quality vulnerability would payout, are: significant authentication bypass, cross-site request forgery (CSRF), cross-site scripting (XSS), authorization flaw, and sensitive data exposure.

Go forth and conquer, security researchers. In the words of Misner, “Happy hunting!”

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.