Microsoft this week expanded its bug bounty program to include security vulnerabilities in its identity services.
The software giant launched the Microsoft Identity Bounty Program, which offers payouts between $500 and $100,000 for vulnerabilities reported in Microsoft’s identity services. The scope of the identity bounty includes both consumer and enterprise services — Microsoft Accounts and Azure Active Directory, respectively — as well as login tools such as login.live.com, account.windowsazure.com, portal.office.com and the Microsoft Authenticator for iOS and Android applications.
In addition, Microsoft said the identity bounty will be available for bugs reported in the company’s implementations of specific OpenID standards.
“If you are a security researcher and have discovered a security vulnerability in the Identity services, we appreciate your help in disclosing it to us privately and giving us an opportunity to fix it before publishing technical details,” wrote Phillip Misner, principal security group manager for the Microsoft Security Response Center, in a blog post. “Further in our commitment to the industry identity standards work that we have worked hard with the community to define, we are extending our bounty to cover those certified implementations of select OpenID standards.”
The expanded bug bounty program will pay up to $100,000 for the most serious vulnerabilities, including design vulnerabilities in identity standards and bypasses for multifactor authentication. Standards-based implementation flaws will pay a maximum of $75,000, while “significant” authentication bypasses will pay a maximum of $40,000.
The identity bounty program is the latest expansion of Microsoft’s bug bounty efforts. In 2015, the company announced a major expansion of its bug bounty program that included Microsoft’s Azure platform as well as specific vulnerabilities for its Hyper-V virtualization software.