Microsoft wants researchers to help it make identity data and management more bomb proof and has announced an Identity Bounty Program.
For individuals and companies alike, identity data has become a hugely important aspect of online life. Customers and service users need a digital identity to access products and tools across the internet. Organizations use identity data across multiple domains and machines within a network.
The company says the Identity Bounty Program extends its commitment to protecting user data online. Microsoft wants security researchers to privately disclose vulnerabilities they find in its various Identity services.
With the information, Microsoft will be able to fix the problem before it is made public. In return, security researchers will be awarded cash rewards. However, there is a protocol for what will be accepted as an eligible submission.
For example, the submission needs to be of a previously unreported flaw that is critical or important. Any vulnerability must be reproduceable in Microsoft’s Identity services. The company has detailed the following criteria for a successful submission:
- Identify an original and previously unreported critical or important vulnerability that reproduces in our Microsoft Identity services that are listed within scope.
- An original and previously unreported vulnerability that results in the taking over of a Microsoft Account or Azure Active Directory Account.
- Identify an original and previously unreported vulnerability in listed OpenID standards or with the protocol implemented in our certified products, services, or libraries.
- Submit against any version of Microsoft Authenticator application, but bounty awards will only be paid if the bug reproduces against the latest, publicly available version.
- Include a description of the issue and concise reproducibility steps that are easily understood. (This allows submissions to be processed as quickly as possible and supports the highest payment for the type of vulnerability being reported.)
- Include the impact of the vulnerability
- Include an attack vector if not obvious
Among the Identity services Microsoft wants researcher to report on are logins for Windows, Microsoft Online, Live, Azure, Active Directory, and more.
Cash rewards will be given for qualifying submissions, with the bounty set from $500 to $100,000. Microsoft points out the better the report (how detailed and how critical the flaw) the more bounty will be paid.
To that end, the company wants researchers to provide has much data as possible on vulnerabilities. In many instances, the same vulnerability may be reported more than once. In that case, Microsoft will
To find out more about the Identity Bounty Program, visit Microsoft’s official site.