Microsoft Bounty Program Uses Payouts for Identity Service Bugs

Microsoft has lifted the curtain on a new bug-bounty program, offering payouts as high as $100,000 for holes in identity services and implementations of the OpenID standard.

The bounty program touches on Microsoft’s array of digital identity solutions, which tout strong authentication, secure sign-in sessions and API security. Those solutions include Microsoft Account and Azure Active Directory, which offer identity and access capabilities for both consumer and enterprise applications; as well as its OpenID authentication protocol.

“If you are a security researcher and have discovered a security vulnerability in the identity services, we appreciate your help in disclosing it to us privately and giving us an opportunity to fix it before publishing technical details,” Phillip Misner, principal security group manager with Microsoft, said Tuesday. “Further in our commitment to the industry identity standards work that we have worked hard with the community to define, we are extending our bounty to cover those certified implementations of select OpenID standards.”

According to Microsoft, an array of prizes between $500 up to $100,000 are available for a significant authentication bypass, multi-factor authentication bypass, standards-based implementation vulnerabilities, cross-site scripting, cross-site request forgery or an authorization flaw.

“Identity services are a crucial component and security vulnerabilities in these services can have a very high impact on the platform,” Edwin Foudil, a security researcher who usually goes under the alias “EdOverflow,” told Threatpost. “The payouts are also very high which is why I believe this program will be a big success. Bug bounty hunters will be attracted to this type of program since anything that they find could have a higher impact than on usual services.”

The payouts will be awarded for submissions varying from incomplete to baseline quality and all the way up to high quality submissions that will take the top awards. for instance, a high-quality multi-factor authentication bypass submission can win a participant $100,000.

Higher payouts are given based on the quality of the report and the security impact of the vulnerability, Microsoft said. “Security researchers are encouraged to provide as much data at the time of submission to be more likely of the highest payout possible,” said the company. “We typically reward lower amounts for vulnerabilities that require significant user interaction.”

In order to be eligible for payment, vulnerability submissions must identify an original and previously unreported critical or important vulnerability in Microsoft Identity services; in listed OpenID standards or with the protocol implemented in certified products, services or libraries; or one that results in the taking over of a Microsoft Account or Azure Active Directory Account. Vulnerabilities also can be submitted against any version of the Microsoft Authenticator application, but bounty awards will only be paid if the bug reproduces against the latest, publicly available version.

Bug-bounty submissions are available for the following Microsoft websites and products: activedirectory.windowsazure.com, live.com, Microsoft Authenticator (iOS and Android applications), microsoftonline.com, office.com, OpenID Foundation’s OpenID Connect Family and certified implementations listed here, windows.net and windowsazure.com.

Researchers should include a description of the issue and concise reproducibility steps that are easily understood, along with the impact of the vulnerability and an attack vector if not obvious.

Microsoft already has an array of bounty programs looking to squash bugs in other products, including for online services, Windows Server and Microsoft Edge. In March, the company launched a new program targeting speculative execution side channel vulnerabilities (Spectre-class).