Microsoft continues to invest heavily in the security and privacy of both our consumer (Microsoft Account) and enterprise (Azure Active Directory) identity solutions. We have focused on the creation, implementation, and improvement of identity-related specifications that foster strong authentication, secure sign-on, sessions, API security, and other critical infrastructure tasks, as part of the community of standards experts within official standards bodies such as IETF, W3C, or the OpenID Foundation.
The Microsoft Identity Bounty Program invites researchers across the globe to identify vulnerabilities in identity products and services and share them with our team. Qualified submissions are eligible for bounty rewards from $1,500 to $100,000 USD.
In conjunction with our collabortion with the OpenID standards community our bounty includes certified implementations of select OpenID standards.
Bounties will be awarded at Microsoft’s discretion based on the severity and impact of the vulnerability and the quality of the submission, and subject to the Microsoft Bounty Terms and Conditions.
This bounty program runs in parallel to the ongoing Microsoft Identity Research Project Grant.
The goal of the bug bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of Microsoft’s customers. Vulnerability submissions must meet the following criteria to be eligible for bounty award:
Identify a previously unreported critical or important vulnerability that results in an in-scope security impact and meets any of the below criteria:
Reproduces in the latest, publicly available version of in-scope Microsoft Identity services
Results in the taking over of a Microsoft Account or Azure Active Directory Account.
Is listed in OpenID standards or with a OpenID-compliant protocol and is implemented in our certified products, services, or libraries.
Includes all the following information:
A description of the issue and concise reproducibility steps that are easily understood.
The impact of the vulnerability
Attack vector if not obvious
login.windows.net
login.microsoftonline.com
login.live.com
account.live.com
account.windowsazure.com
account.activedirectory.windowsazure.com
credential.activedirectory.windowsazure.com
passwordreset.microsoftonline.com
Microsoft Authenticator (iOS and Android applications)*
* For mobile applications: research must reproduce on the latest version of the application and mobile operating system.
Standards Scope:
Microsoft products and services Certified Implementations listed here.
OpenID Foundation - The OpenID Connect Family
OpenID Connect Core
OpenID Connect Discovery
OpenID Connect Session
OAuth 2.0 Multiple Response Types
OAuth 2.0 Form Post Response Types
Please note:Submissions for standards, protocols, or implementation bounties must be submitted with a fully ratified identity standard in scope of this bounty and have discovered a security vulnerability with the standard or protocol implemented in our certified products, services, or libraries.
Standards professionals with contributions or affiliations to identity standards working groups are not eligible to receive standards-related bounties.
Bounty awards range from $1,500 up to $100,000. Higher awards are possible, at Microsoft’s sole discretion, based on entry impact, severity, and quality.
A high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write up or video containing any required background information, a description of the bug, and an attached proof of concept (PoC). Sample high- and low-quality reports are available here.
We won’t reduce report quality ratings for issues that are difficult to reproduce or understand due to their complexity.
### HOW TO CREATE TRIAL ACCOUNTS FOR TESTING OF BOUNTY-ELIGIBLE AZURE AND MICROSOFT ACCOUNT SERVICES?
You must create test accounts and test tenants for security testing and probing.
For Azure services, you can start a free trial to use as your test account here. <https://azure.microsoft.com/en-us/free/>
For Microsoft Account, you can set up your test account here. <http://signup.live.com/>
In all cases, where possible, include the string “MSOBB” in your account name and/or tenant name in order to identify it as being in use for the bug bounty program.
Send your complete submission to Microsoft using the MSRC Submission portal, following the recommend format in our submission guidelines. We request you follow Coordinated Vulnerability Disclosure when reporting all vulnerabilities. We will exercise reasonable efforts to clarify indecipherable or incomplete submissions. Have questions? We're always available at secure@microsoft.com. #### Out of Scope:
Publicly-disclosed vulnerabilities which have already been reported to Microsoft or are already known to the wider security community
Issues without clearly identified security impact (such as clickjacking on a static website), missing security headers, or descriptive error messages
Out of scope vulnerability types, including:
Server-side information disclosure such as IPs, server names and most stack traces
Low impact CSRF bugs (such as logoff)
Denial of Service issues
Sub-Domain Takeovers
Cookie replay vulnerabilities
URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
Password, email and account policies, such as email id verification, reset link expiration, password complexity
Vulnerabilities in a web application that only affect unsupported browsers and plugins
Vulnerabilities that are addressed via product documentation updates, without change to product code or function.
Vulnerabilities based on user configuration, user action, or physical access, for example:
Vulnerabilities requiring extensive or unlikely user actions
Vulnerabilities in user-created content or applications.
Security misconfiguration of a service by a user, such as the enabling of HTTP access on a storage account to allow for man-in-the-middle (MiTM) attacks
Submissions that require manipulation of data, network access, or physical attack against Microsoft offices or data centers and/or social engineering of our service desk, employees or contractors
Two-factor authentication bypass that requires physical access to a logged-in device
Local access to user data when operating a rooted mobile device
Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
Vulnerabilities used to enumerate or confirm the existence of users or tenants
Vulnerabilities based on third parties, for example:
Vulnerabilities in third party software provided by Azure such as gallery images and ISV applications
Vulnerabilities in platform technologies that are not unique to the online services in question (for example, Apache or IIS vulnerabilities)
Reports from automated tools or scans
Training, documentation, samples, and community forum sites related to Identity products and services are not in scope for bounty awards unless otherwise listed in "In-Scope Domains and Endpoints"
Vulnerabilities in other Microsoft Products:
Limitation on Standards-based vulnerabilities
Any of the following criteria would exclude a standards based vulnerability from qualifying for bounty:
Standards with a status of draft, candidate release, or implementation draft. Issues with candidate, implementation, or draft standards should be reported directly to the standards body in question as part of the normal standards creation process.
In specifications not explicitly listed.
In non-certified implementations of Microsoft products and services.
Independent security research is an important component to overall confidence in the security of products and services. As part of that research, the community must also be aware that these services are live and running in a production environment for the continual use of customers. We ask that security researchers make a good faith effort to:
Avoid privacy violations, destruction of data, and interruption or degradation of our service during your research. If you discover customer data while researching, stop immediately and contact us.
Testing for vulnerabilities should only be performed on tenants in subscriptions/accounts owned by an individual researcher – do not run tests against any other tenants.
Moving beyond “proof of concept” repro steps for server-side execution issues is not acceptable practice. I.e. proving that you have sysadmin access with SQLi is acceptable, running xp_cmdshell is not.
To further help security researchers understand the bounds of research within our services, the following methods are prohibited:
Attempting phishing or other social engineering attacks against our employees. The scope of this program is limited to technical vulnerabilities in the specified Microsoft Online Services.
Any kind of Denial of Service testing.
Performing automated testing of services that generates significant amounts of traffic.
The Microsoft Bug Bounty Programs are subject to the legal terms and conditions outlined here, and to our bounty Safe Harbor policy.
Have questions? Our Bounty FAQ is available here or we're always available at bounty@microsoft.com.
December 6, 2018: Revision history section added.
October 23, 2019: Revised reward model to include security impact, severity, and report quality. Revised bounty brief language to align with our other cloud programs.
January 16, 2020: Added link to Research Project Grant
February 24, 2022: Added clarification that vulnerabilities addressed via product documentation updates are out of scope.
This program crawled on the 2018-07-18 is sorted as bounty.
FireBounty © 2015-2024