Heads up, white hats: “This customer's digital identity is often the key to accessing services and interacting across the Internet.” internet, “the Microsoft Security Response Center team wrote in a Tuesday blog post. “We have strongly invested in the creation, implementation, and improvement of identity-related specifications that are foster strong authentication, secure sign-on, sessions, API, and other critical infrastructure tasks. are the launching of the Microsoft Identity Bounty Program. “
The program covers flaws affecting login.windows.net, login.microsoftonline.com, login.live.com, account.live.com, account.windowsazure.com, account.activedirectory .windowsazure.com, credential.activedirectory.windowsazure.com, portal.office.com, passwordreset.microsoftonline.com, and the Microsoft Authenticator iOS and Android apps.
Rewards for qualifying submissions from $ 500 to $ 100,000. To be eligible for a bounty, submissions must identify an original and previously unreported flaw that allows for the takeover of a Microsoft account or Azure Active Directory account.
“Higher payouts are on the quality of the report and the security impact of the vulnerability, “Microsoft advised. “Security researchers are encouraged to provide as much data at the time of submission as possible.”
The program does not cover denial of service issues, flaws in third party software, bugs that require “unlikely user actions,” or methods of bypassing two-factor authentication that require physical access to a logged-in device. For the full program details, head here.
Microsoft has several other active bug bounty programs offering maximum payouts ranging from $ 15,000 to $ 250,000.