Microsoft Identity Bounty Program

Program Description

Information security today depends on the collaborative communication of identities and identity data within and between domains. Experts in enterprise data protection services agree that a client’s digital identity is often the key to accessing services and interacting over the Internet.

Microsoft has invested a lot in the security and privacy of its identity solutions for individuals (Microsoft account) and enterprises (Azure Active Directory). The company has made major investments in the creation, implementation, and enhancement of identity-related specifications that foster solid authentication, secure login, API security, and other critical infrastructure tasks, such as IETF, W3C or OpenID Foundation. In recognition of that strong commitment to user’s security, Microsoft launches its Identity Bounty Program.

If you are an information security researcher who has discovered any security vulnerability in some identity authentication service, Microsoft would appreciate your help to share it with them directly and give them the opportunity to solve it before publishing the technical details. In addition to the company’s commitment to industry identity standards, Microsoft is expanding its rewards for this type of research.

Submissions prepared for this rewards program must meet a fully-ratified identity standard in the scope of this reward, in addition to meeting other specifications.

What does your submission require to be eligible?

This program, designed for information security and enterprise data protection services experts, is looking for high quality submissions that reflect a certain research level. The goal should be to share your knowledge and experience with Microsoft developers and engineers so that they can understand and apply your findings quickly and efficiently, so the vulnerability can be patched.

Vulnerability reports provided to Microsoft must meet the following requirements to be eligible for bounty payment:

• Identify critical or important vulnerability that has never been reported and coul be reproduced in Microsoft identity services listed within the scope
• Identify an original, non-reported vulnerability that results in the takeover of a Microsoft account or an Azure Active Directory account
• Identify an original vulnerability and not previously reported in the OpenID standards listed or with the protocol implemented in Microsoft certified products, services or libraries
• The vulnerability must work against any version of the Microsoft Authenticator application, but the rewards will only be paid if the error is played in the most recent version publicly available
• You must include a description of the problem and concise steps for its execution in simple words
• Describe the impact of the vulnerability
• Describe an attack vector in case this is not obvious

Scope

• windows.net
• microsoftonline.com
• live.com
• live.com
• windowsazure.com
• activedirectory.windowsazure.com
• activedirectory.windowsazure.com
• office.com
• microsoftonline.com
• Microsoft Authenticator (Android & iOS apps)

How are the rewards established?

The rewards for each submission fall within a range of $500 to $100K. Higher payments are granted depending on the quality of the report and the vulnerability’s security impact. Security investigators are encouraged to provide the most data at the time they make their submissions to make them more prone to the highest possible payment. Lower amounts are usually given for vulnerabilities that require too much user interaction for exploitation.

• If multiple bug reports are received for the same problem from different parts, the reward will be given to the report that is sent first.
• The first external report received on an internally known issue will receive a maximum of 10% of the maximum payment.
• If a duplicate report provides Microsoft with new information that was previously unknown, a differential payment will be granted to the duplicated report.
• If a report is potentially eligible for multiple rewards programs, you will receive the highest payment of a single rewards program.
• Microsoft reserves the right to refuse any payment to a project that does not meet the established standards.

Submissions Payment Table

A high quality report provides the information needed for an engineer to reproduce, understand and quickly solve the problem. This includes a concise wording that contains any required background information, a description of the error, and a proof of concept.

Many Microsoft sites share a common platform. Because of this, an informed vulnerability in a domain can exist in another domain if the problem exists on the shared platform. For example, a reported issue for account.microsoft.com can also occur exactly the same way in account.microsoft.co.uk and the problem will be resolved in both sites with the same solution. The company requests researchers in information security and enterprise data protection services to confirm this first, and to include the other vulnerable locations in a single report instead of submitting several reports. In these cases, Microsoft will treat the error as a single report, while the following reports will be treated as duplicates.

How to create test accounts to make eligible reports for the rewards program?

You must create test accounts and try tenants to perform security tests.

For Azure services, you can start a free trial to use as your test account here: https://azure.microsoft.com/en-us/free/

For the Microsoft account, you can set up your test account here: https://signup.live.com/

In all cases, when possible, include the string “MSOBB ” in your account name and/or tenant’s name to identify that you are in use for the error bonus program.

For further inquiries about this program and its rules, you can contact bounty@microsoft.com.

Note: Microsoft cannot predetermine possible payments prior to the official submission of a vulnerability report.