Microsoft to pay new bounties for identity services holes

If ye can board Microsoft accounts, Azure AD or even OpenID without the skipper knowing, loot be your reward

Microsoft’s launched a new bug bounty program, this time for identity services.

“Microsoft has invested heavily in the security and privacy of both our consumer (Microsoft Account) and enterprise (Azure Active Directory) identity solutions,” wrote principal security group manager Phillip Misner.

But Redmond’s not just paying to protect itself: the new bounties will also be on offer for some implementations of the OpenID specs.

Misner said Microsoft’s extended its largesse to OpenID because it knows its own authentication technologies need to work alongside standards-based efforts.

“If you are a security researcher and have discovered a security vulnerability in the Identity services, we appreciate your help in disclosing it to us privately and giving us an opportunity to fix it before publishing technical details,” Misner wrote. Doing so could score you between US$500 and $100,000.”

To be eligible for the cash Microsoft says you’ll need to find something nasty that impacts one of the following login tools:

  • login.windows.net
  • login.microsoftonline.com
  • login.live.com
  • account.live.com
  • account.windowsazure.com
  • account.activedirectory.windowsazure.com
  • credential.activedirectory.windowsazure.com
  • portal.office.com
  • passwordreset.microsoftonline.com
  • Microsoft Authenticator for iOS and Android

Further, the bug you find will need to:

  • Identify an original and previously unreported critical or important vulnerability that reproduces in our Microsoft Identity services .
  • Identify an original and previously unreported vulnerability that results in the taking over of a Microsoft Account or Azure Active Directory Account.
  • Identify an original and previously unreported vulnerability in listed OpenID standards or with the protocol implemented in our certified products, services, or libraries.
  • Submit against any version of Microsoft Authenticator application, but bounty awards will only be paid if the bug reproduces against the latest, publicly available version.
  • Include a description of the issue and concise reproducibility steps that are easily understood. (This allows submissions to be processed as quickly as possible and supports the highest payment for the type of vulnerability being reported.)
  • Include the impact of the vulnerability
  • Include an attack vector if not obvious

It’s not hard to see why Microsoft has decided its ID services are a good target for bounty hunters: the company has hundreds of millions of registered users, which makes it a target so big that bad actors are surely already have all the motivation they need. Offering them an alternative, while also giving white hats more incentive, is a neat crowdsourcing play.

Legend also has it that remnants of Banyan Vines lurk within the heart of Active Directory and surely that venerable product deserves some new attention in case an ancient horror could emerge to threatens us anew today. ®




Biting the hand that feeds IT © 1998–2018