Microsoft has unveiled a new bug program that rewards researchers for discovering vulnerabilities in Microsoft’s Identity services up to $100,000.
Rewards offered range from $500 to $100,000 for any flaws found that impact a range of services, including Microsoft and Azure Active Directory accounts, OpenID and OAuth 2.0 standards, Microsoft Authenticator applications for iOS and Android and identity services.
On a page dedicated to the new bug program, Microsoft invites security researchers who may have discovered a security vulnerability the opportunity to disclose of the problem privately to the company so they have the opportunity to fix the issue before publishing technical details, stating that “together we can bring assurance that digital identities are safe and secure.”
Microsoft goes on to say that “a high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write up containing any required background information, a description of the bug, and a proof of concept. We recognise that some issues are extremely difficult to reproduce and understand, and this will be considered when adjudicating the quality of a submission.”
A full description of the program can be found here.