Digital identity is referred to as the key to accessing enterprise applications and services across the Internet. Microsoft is all into this business. With the services like Microsoft Account for the consumers and Azure Active Directory for the enterprise, Microsoft is committed to protecting user’s Digital Identity and even make it better. Now, yesterday Microsoft announced their all new Identity Bounty Program for security researchers. Upon finding flaws in Microsoft’s scope of products, like the Microsoft Identity services for instance, these Security Researchers will be paid from $500 to $100,000.
Microsoft Identity Bounty Program
In case, a security researcher finds a security vulnerability in the services listed by Microsoft, they can disclose that vulnerability to Microsoft privately and allow them to fix that vulnerability before publishing the technical results and then they will be rewarded. They are also extending its bounty to cover those certified implementations of select OpenID standards.
The following websites and services come under the scope of this program:
Microsoft Authenticator (iOS and Android applications)
And the following points go out of scope:
Reports from automated tools or scans
Issues without clearly identified security impact (such as clickjacking on a static website), missing security headers, or descriptive error messages
Password, email and account policies, such as email id verification, reset link expiration, password complexity
Security misconfiguration of a service by a user, such as the enabling of HTTP access on a storage account to allow for man-in-the-middle (MiTM) attacks
Standards-based Vulnerabilities in any specification with a status of draft, candidate release, or implementation draft. Issues with candidate, implementation, or draft standards should be reported directly to the standards body in question as part of the normal standards creation process.
Standards-based Vulnerabilities in specifications not explicitly listed.
Standards-based vulnerabilities in non-certified implementations of Microsoft products and services.
Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
Server-side information disclosure such as IPs, server names and most stack traces
Denial of Service issues
Vulnerabilities requiring unlikely user actions
Publicly-disclosed vulnerabilities which are already known to Microsoft and the wider security community
Vulnerabilities in third party software provided by Azure such as gallery images and ISV applications
Vulnerabilities in the web application that only affect unsupported browsers and plugins
Vulnerabilities used to enumerate or confirm the existence of users or tenants
Submissions that require manipulation of data, network access, or physical attack against Microsoft offices or data centers and/or social engineering of our service desk, employees or contractors will not be accepted
Two-factor authentication bypass that requires physical access to a logged-in device
Local access to user data when operating a rooted mobile device
Ayush has been a Windows enthusiast since the day he got his first PC with Windows 98SE. He is an active Windows Insider since Day 1 and is now a Windows Insider MVP. He has been testing pre-release services on his Windows 10 PC, Lumia, and Android devices.