Microsoft’s new Identity Bounty program offers payouts of up to $100,000 for bugs in its identity solutions, as well as bugs in select OpenID standards. Credit: Thinkstock Microsoft launched a new bug bounty program specifically aimed at identity services with bounty payouts ranging from $500 to $100,000.Microsoft’s Identity Bounty program will reward researchers for finding eligible bugs in not only its identity solutions, but also for security vulnerabilities in “certified implementations of select OpenID standards.”Microsoft’s Principal Security Group Manager Phillip Misner announced the new program on the Microsoft Security Response Center (MSRC) blog.Modern security depends today on collaborative communication of identities and identity data within and across domains. A customer’s digital identity is often the key to accessing services and interacting across the internet. Microsoft has invested heavily in the security and privacy of both our consumer (Microsoft Account) and enterprise (Azure Active Directory) identity solutions. We have strongly invested in the creation, implementation, and improvement of identity-related specifications that foster strong authentication, secure sign-on, sessions, API security, and other critical infrastructure tasks, as part of the community of standards experts within official standards bodies such as IETF, W3C, or the OpenID Foundation. In recognition of that strong commitment to our customer’s security we are launching the Microsoft Identity Bounty Program.Criteria for ID bug bountiesVulnerability submissions that are eligible for a payout are required to meet certain criteria: Identify an original and previously unreported critical or important vulnerability that reproduces in Microsoft Identity services that are listed within scope.Identify an original and previously unreported vulnerability that results in the taking over of a Microsoft Account or Azure Active Directory Account.Identify an original and previously unreported vulnerability in listed OpenID standards or with the protocol implemented in our certified products, services, or libraries.Submit against any version of Microsoft Authenticator application, but bounty awards will be paid only if the bug reproduces against the latest, publicly available version.Include a description of the issue and concise reproducibility steps that are easily understood. (This allows submissions to be processed as quickly as possible and supports the highest payment for the type of vulnerability being reported.)Include the impact of the vulnerability.Include an attack vector if not obvious.Scope of bugs for Microsoft and OpenID servicesThe scope of the bugs that affect Microsoft’s identity services are listed as those that impact:windows.netmicrosoftonline.comlive.comlive.comwindowsazure.comactivedirectory.windowsazure.comactivedirectory.windowsazure.comoffice.commicrosoftonline.comMicrosoft Authenticator (iOS and Android applications) – For mobile applications the research must reproduce on the latest version of the application and mobile operating systemFor ID bugs in non-Microsoft products, the scope is: OpenID Foundation – The OpenID Connect FamilyOpenID Connect CoreOpenID Connect DiscoveryOpenID Connect SessionOAuth 2.0 Multiple Response TypesOAuth 2.0 Form Post Response TypesMicrosoft products and services Certified Implementations listed under OpenID certificationThe bugs and payoutsThere are eight types of bugs that can be reported, with high-quality reports having the biggest payout.Microsoft explained, “A high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write-up containing any required background information, a description of the bug, and a proof of concept. We recognize that some issues are extremely difficult to reproduce and understand, and this will be considered when adjudicating the quality of a submission.”The highest payout possible is for multi-factor authentication bypass as a high-quality bug report could result in up to $100,000, a baseline quality submission could result in a payout of up to $50,000, and an incomplete submission is listed as from $1,000.Standard design vulnerabilities have the next highest payout of up to $100,000 for high-quality submissions, up to $30,000 for baseline quality, and from $2,500 for incomplete submissions.The third highest rewarded bugs are standards-based implementation vulnerabilities, which could pay up to $75,000, up to $25,000 for baseline quality, and from $2,500 for incomplete reports.The other five types of bugs that can be reported, in order of how a high-quality vulnerability would payout, are: significant authentication bypass, cross-site request forgery (CSRF), cross-site scripting (XSS), authorization flaw, and sensitive data exposure. Go forth and conquer, security researchers. In the words of Misner, “Happy hunting!” Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe