HomeWinBuzzer NewsMicrosoft’s New Identity Bounty Program Offers $100,000 for Vulnerabilities in Identity Services

Microsoft’s New Identity Bounty Program Offers $100,000 for Vulnerabilities in Identity Services

A new Identity Bounty Program rewards security researchers who uncover vulnerabilities in Microsoft’s services and send private details to the company.


Table of Contents:

wants researchers to help it make identity data and management more bomb proof and has announced an Identity Bounty Program.

For individuals and companies alike, identity data has become a hugely important aspect of online life. Customers and service users need a digital identity to access products and tools across the internet. Organizations use identity data across multiple domains and machines within a network.

The company says the Identity Bounty Program extends its commitment to protecting user data online. Microsoft wants security researchers to privately disclose vulnerabilities they find in its various Identity services.

With the information, Microsoft will be able to fix the problem before it is made public. In return, security researchers will be awarded cash rewards. However, there is a protocol for what will be accepted as an eligible submission.


For example, the submission needs to be of a previously unreported flaw that is critical or important. Any vulnerability must be reproduceable in Microsoft's Identity services. The company has detailed the following criteria for a successful submission:

  • Identify an original and previously unreported critical or important vulnerability that reproduces in our Microsoft Identity services that are listed within scope.
  • An original and previously unreported vulnerability that results in the taking over of a Microsoft Account or Azure Active Directory Account.
  • Identify an original and previously unreported vulnerability in listed OpenID standards or with the protocol implemented in our certified products, services, or libraries.
  • Submit against any version of Microsoft Authenticator application, but bounty awards will only be paid if the bug reproduces against the latest, publicly available version.
  • Include a description of the issue and concise reproducibility steps that are easily understood. (This allows submissions to be processed as quickly as possible and supports the highest payment for the type of vulnerability being reported.)
  • Include the impact of the vulnerability
  • Include an attack vector if not obvious

Among the Identity services Microsoft wants researcher to report on are logins for Windows, Microsoft Online, Live, Azure, Active Directory, and more.


Cash rewards will be given for qualifying submissions, with the bounty set from $500 to $100,000. Microsoft points out the better the report (how detailed and how critical the flaw) the more bounty will be paid.

To that end, the company wants researchers to provide has much data as possible on vulnerabilities. In many instances, the same vulnerability may be reported more than once. In that case, Microsoft will

To find out more about the Identity Bounty Program, visit Microsoft's official site.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News

Table of Contents:

Table of Contents: