New Bug Bounty Program for Identity Technologie by Microsoft

Microsoft Starts New & Unique Identity Bug Bounty Program

Today the microsoft corporation started a new bug bounty program for the microsoft online identity server technology. To further increase the safety of its customers, the tech giant has launched a completely new and independent bug bounty program in the second qarter of 2018. The newly launched bug bounty program, known as the microsoft identity bug bounty program, includes identity solutions for microsoft accounts and azure active directory as well as some implementations of the OpenID specifications. New payouts for the new microsoft Identity bug bounty program range from $500 to $100,000, depending on the impact and analysis even of security researchers and debuggers.

• Identify an original and previously unreported critical or important vulnerability that reproduces in our Microsoft Identity services that are listed within scope.
• Identify an original and previously unreported vulnerability that results in the taking over of a Microsoft Account or Azure Active Directory Account.
• Identify an original and previously unreported vulnerability in listed OpenID standards or with the protocol implemented in our certified products, services, or libraries.
• Submit against any version of Microsoft Authenticator application, but bounty awards will only be paid if the bug reproduces against the latest, publicly available version.
• Include a description of the issue and concise reproducibility steps that are easily understood. (This allows submissions to be processed as quickly as possible and supports the highest payment for the type of vulnerability being reported.)
• Include the impact of the vulnerability
• Include an attack vector if not obvious

The scope has been defined by several urls to test for bug bounty hunters and security researchers.

• login.windows.net
• login.microsoftonline.com
• login.live.com
• account.live.com
• account.windowsazure.com
• account.activedirectory.windowsazure.com
• credential.activedirectory.windowsazure.com
• portal.office.com
• passwordreset.microsoftonline.com
• Microsoft Authenticator (iOS and Android applications)

The technology to be tested are logged in a separate scope for researchers to ensure.

• OpenID Foundation - The OpenID Connect Family
  • OpenID Connect Core
  • OpenID Connect Discovery
  • OpenID Connect Session
  • OAuth 2.0 Multiple Response Types
  • OAuth 2.0 Form Post Response Types
• Microsoft products and services Certified Implementations

The coordinate of the reported issues are managed by the trusted and reliable microsoft security response center team (msrc). To participate in the Microsoft Identity Bounty program, you must provide high-quality submissions that reflect the research results you bring to your search and share your knowledge and expertise with Microsoft developers and engineers so they can quickly reproduce, understand, and fix the problem.

Enjoy to preview the new microsoft program page and try to submit your fresh zero day vulnerabilities.

Reference(s):

https://www.microsoft.com/en-us/msrc/bounty-microsoft-identity

https://blogs.technet.microsoft.com/msrc/2018/07/17/microsoft-launches-identity-bounty-program/