Microsoft has launched a new bug bounty program, offering rewards of up to $100,000 to white-hat hackers who manage to break into its services and provide a high-quality submission.
The new Microsoft Identity bounty Bounty Program requires security researchers to share details on security vulnerabilities discovered in identity solutions. Bounties range in between $500 and $100,000 depending on the quality of the submission and the type of bypass detected.
“A high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write up containing any required background information, a description of the bug, and a proof of concept. We recognize that some issues are extremely difficult to reproduce and understand, and this will be considered when adjudicating the quality of a submission,” Microsoft explains in a description of the new bug bounty program.
Authenticator app also included
The biggest financial reward is offered for multi-factor authentication bypass when a high-quality submission is offered, while the smallest payment is for cross-site request forgery, authorization flaw, and sensitive data exposure with incomplete submissions. Hackers can get $100,000 and $500, respectively, for these flaws.
There are several domains covered by this new bug bounty program, as it follows:
login.windows.net login.microsoftonline.com login.live.com account.live.com account.windowsazure.com account.activedirectory.windowsazure.com credential.activedirectory.windowsazure.com portal.office.com passwordreset.microsoftonline.com |
A submission is valid and qualifies for a payment only if the bug can be reproduced on the latest public version of the app. Submissions must also include the impact of the vulnerability and an attack vector if it’s not obvious.