Digital identity is referred to as the key to accessing enterprise applications and services across the Internet. Microsoft is all into this business. With the services like Microsoft Account for the consumers and Azure Active Directory for the enterprise, Microsoft is committed to protecting user’s Digital Identity and even make it better. Now, yesterday Microsoft announced their all new Identity Bounty Program for security researchers. Upon finding flaws in Microsoft’s scope of products, like the Microsoft Identity services for instance, these Security Researchers will be paid from $500 to $100,000.
Microsoft Identity Bounty Program
In case, a security researcher finds a security vulnerability in the services listed by Microsoft, they can disclose that vulnerability to Microsoft privately and allow them to fix that vulnerability before publishing the technical results and then they will be rewarded. They are also extending its bounty to cover those certified implementations of select OpenID standards.
The following websites and services come under the scope of this program:
- login.windows.net
- login.microsoftonline.com
- login.live.com
- account.live.com
- account.windowsazure.com
- account.activedirectory.windowsazure.com
- credential.activedirectory.windowsazure.com
- portal.office.com
- passwordreset.microsoftonline.com
- Microsoft Authenticator (iOS and Android applications)
And the following points go out of scope:
- Reports from automated tools or scans
- Issues without clearly identified security impact (such as clickjacking on a static website), missing security headers, or descriptive error messages
- Password, email and account policies, such as email id verification, reset link expiration, password complexity
- Security misconfiguration of a service by a user, such as the enabling of HTTP access on a storage account to allow for man-in-the-middle (MiTM) attacks
- Standards-based Vulnerabilities in any specification with a status of draft, candidate release, or implementation draft. Issues with candidate, implementation, or draft standards should be reported directly to the standards body in question as part of the normal standards creation process.
- Standards-based Vulnerabilities in specifications not explicitly listed.
- Standards-based vulnerabilities in non-certified implementations of Microsoft products and services.
- Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
- Server-side information disclosure such as IPs, server names and most stack traces
- Denial of Service issues
- Vulnerabilities requiring unlikely user actions
- Publicly-disclosed vulnerabilities which are already known to Microsoft and the wider security community
- Vulnerabilities in third party software provided by Azure such as gallery images and ISV applications
- Vulnerabilities in the web application that only affect unsupported browsers and plugins
- Vulnerabilities used to enumerate or confirm the existence of users or tenants
- Submissions that require manipulation of data, network access, or physical attack against Microsoft offices or data centers and/or social engineering of our service desk, employees or contractors will not be accepted
- Two-factor authentication bypass that requires physical access to a logged-in device
- Local access to user data when operating a rooted mobile device
You can read more about this program here.
