Image

Modern security depends today on collaborative communication of identities and identity data within and across domains. A customer’s digital identity is often the key to accessing services and interacting across the internet. Microsoft has invested heavily in the security and privacy of both our consumer (Microsoft Account) and enterprise (Azure Active Directory) identity solutions. We have strongly invested in the creation, implementation, and improvement of identity-related specifications that foster strong authentication, secure sign-on, sessions, API security, and other critical infrastructure tasks, as part of the community of standards experts within official standards bodies such as IETF, W3C, or the OpenID Foundation. In recognition of that strong commitment to our customer’s security we are launching the Microsoft Identity Bounty Program.According to its terms and conditions, the Microsoft Identity Bounty Program welcomes reports detailing previous unreported critical or important vulnerabilities that affects one of its in-scope Identity services. Those include account.live.com and Microsoft's mobile Authenticator app, amongst others, as well as several standards such as OpenID Connect Core and OAuth 2.0 Form Post Response Types. Certain issues such as reports from automated scans, denial-of-service (DoS) flaws and vulnerabilities likely requiring user interaction aren't in scope. When it comes to the rewards security researchers can receive for an eligible submission, the amounts vary widely. Participants can expect to make at least $500 for an incomplete submission detailing an authorization flaw or instance of sensitive data exposure. On the other end of the spectrum, they can earn up to $100,000 for a high-quality submission disclosing enough information for an engineer to reproduce, grasp the specifics of and fix a multi-factor authentication bypass or standards design vulnerabilities.
Image
