Microsoft Bounty Program Offers Payouts As High As $100,000 For Identifying Vulnerabilities In Identity Solutions
With the new Microsoft bounty program, you can get payouts as high as $100,000 for identifying vulnerabilities in identity services and implementations of the OpenID Standard. This program includes the company’s vast array of digital identity solutions like Microsoft Account and Azure Active Directory. These solutions claim strong authentication, API security and secure sign-in sessions and if you can challenge these claims you are in for a great fortune.
Earn A Fortune With The Microsoft Bounty Program
According to Philip Misner, the principal security group manager at Microsoft,
“If you are a security researcher and have discovered a security vulnerability in the identity services, we appreciate your help in disclosing it to us privately and giving us an opportunity to fix it before publishing technical details. Further in our commitment to the industry identity standards work that we have worked hard with the community to define, we are extending our bounty to cover those certified implementations of select OpenID standards.”
The company has stated that prizes ranging from $500 to $100,000 are available for authentication bypass, multi-factor authentication bypass, standards-based implementation vulnerabilities, cross-site scripting, cross-site request forgery or an authorization flaw. The submissions people make can vary from incomplete to very high quality submissions. These high quality submissions in the Microsoft bounty program will earn high rewards.
“Higher payouts are given based on the quality of the report and the security impact of the vulnerability,” Microsoft said. “Security researchers are encouraged to provide as much data at the time of submission to be more likely of the highest payout possible. We typically reward lower amounts for vulnerabilities that require significant user interaction.”
In order to be eligible for a submission, you must present a vulnerability in the system that was previously unreported or is critical to the identity services. You can submit vulnerabilities against versions of the Microsoft Authenticator application. Bug-bounty subissions are available for the following: activedirectory.windowsazure.com, live.com, Microsoft Authenticator (iOS and Android applications), microsoftonline.com, office.com, OpenID Foundation’s OpenID Connect Family and certified implementations listed here, windows.net and windowsazure.com.
The submitters should include a description of the problem, the impact of the problem, attack vector and reproducibility steps. The company has various bounty programs that seek to crush all bugs in their products and services. The Microsoft bounty program is an innovative to solving some very tough problems and crushing the bugs from the systems.