Editorial

Microsoft will give you $100,000 if you can hack its Identity code

New Identity Bounty Programme offering cash incentives to hackers who think they can find weaknesses in its Digital Identity offering

Posted 19 July 2018 by Gary Flood


Think you’re smarter than a Microsoft Digital Identity coder? Well, now’s your chance to prove it – as the company has just opened a cash incentive scheme to encourage people to find security flaws in its products.

The company’s Principal Security Group Manager, Philip Misner, announced the bounty in a blog post it put up this week, noting that a customer’s digital identity is often the key to accessing services and interacting online, and how Microsoft has invested heavily in the security and privacy of both its consumer (Microsoft Account) and enterprise (Azure Active Directory) identity solutions.

Given that it has “strongly invested” in the creation, implementation, and improvement of identity-related specifications that foster strong authentication, secure sign-on, sessions, API security, and other critical infrastructure tasks, as part of the community of standards experts within official standards bodies such as IETF, W3C, or the OpenID Foundation, x sees the launch of the Microsoft Identity Bounty Program as the logical next step – and why he wants you to hack him:

”If you are a security researcher and have discovered a security vulnerability in the Identity services, we appreciate your help in disclosing it to us privately and giving us an opportunity to fix it before publishing technical details. Further in our commitment to the industry identity standards work that we have worked hard with the community to define, we are extending our bounty to cover those certified implementations of select OpenID standards.”

Submissions for standards protocol or implementation bounties need to be with a fully ratified identity standard in scope of this bounty and have discovered a security vulnerability with the protocol implemented in our certified products, services, or libraries.

“Together we can bring assurance that digital identities are safe and secure,” Misner adds.

The Microsoft Identity Bounty Program is subject to the legal terms outlined here and amended within this program description, and you get paid, basically, if you:
  • Identify an original and previously unreported critical or important vulnerability that reproduces in our Microsoft Identity services that are listed within scope
  • Identify an original and previously unreported vulnerability that results in the taking over of a Microsoft Account or Azure Active Directory Account
  • Identify an original and previously unreported vulnerability in listed OpenID standards or with the protocol implemented in our certified products, services, or libraries
  • Submit against any version of Microsoft Authenticator application, but bounty awards will only be paid if the bug reproduces against the latest, publicly available version
  • Include a description of the issue and concise reproducibility steps that are easily understood. (This allows submissions to be processed as quickly as possible and supports the highest payment for the type of vulnerability being reported.)
  • Include the impact of the vulnerability
  • Include an attack vector if not obvious.

And now the good bit: how much can I earn? The good news is that MS will pay $100,000 (£77,000) for a “high-quality submission” down to $500 (£383) for “incomplete” ones.

You must create test accounts and test tenants for security testing and probing, note – so get hacking… as better Digital Identity products will help us all.