Microsoft Expands Leak Rewards Program to Authentication Services

Microsoft has announced an expansion of its bug bounty program to include authentication services and portals within the scope of the program. The maximum reward for a ‘high quality’ leak found is one hundred thousand dollars.

The program is called Identity Bounty, Microsoft reports in an announcement. The company hopes that this will attract ethical hackers and researchers who will investigate its services for vulnerabilities and then report them to Microsoft. That way, the leak can be closed before the researcher can release a technical description, according to the company. An incomplete report of a leak, for example of csrf or the leak of sensitive data, yields the minimum amount of five hundred dollars. A high-quality report, including for bypassing two-factor authentication, is worth up to $100,000 to Microsoft.

Microsoft limits the number of domains that researchers can target. These include login domains from windows.net, live.com, activedirectory.windowsazure.com, and office.com. The latest version of the Microsoft Authenticator apps for Android and iOS are also part of the scope of the rewards program, as is the implementation of OpenID standards. Excluded from the program are, for example, notifications generated by automated tools, missing http headers, denial of service, and vulnerabilities that require “unlikely user interactions.”

Microsoft, like many other companies, operates several reward programs. For example, after the publication of the Specter and Meltdown vulnerabilities at the beginning of this year, it introduced a temporary program for those kinds of vulnerabilities.