Microsoft boosts bug bounties for sign-on services

Microsoft has simplified its identity bug-hunting program, upping rewards and promising faster reviews of submissions from researchers.

The aim of the program that was created in December last year is to improve the security of Microsoft's authentication services, and it has now been tweaked to match its cloud security iniatitives.

High-quality vulnerability reports that detail privilege escalation bugs with a severity rating of critical can earn researchers up to US$100,000, if the flaw allows for mutli-factor authentication bypass.

Spoofing via cross-site scripting (XSS) or request forgery (CSRF), information leakage, standards design and implementation vulnerabilities are also within the scope of the program.

In all cases, submissions must identify a previously unreported vulnerability rated as critical or important, one that can be reproduced in the latest version of Microsoft's Identity services that are in scope for the bug bounty program.

The vulnerabilities must result in Microsoft Accounts or Azure Active Directory Accounts being taken over, the company said.

Microsoft is looking for bugs in the OpenID Foundation Connect Family standards, as well as OAuth 2.0 multiple and form post response types.

Eight Microsoft login domains and its Authenticator app for Apple iOS and Google Android devices are deemed to be in scope of the program, and researchers can set up test accounts on the services.

However, the company warned that the accounts are on live production environments, and asks researchers to avoid destruction of data, or interrupting or degrading of its online services.

Researchers are not to test vulnerabilties on other tenants apart from test accounts that they themselves own, and any kind of denial of service trials are a banned, Microsoft said.

Phishing and social engineering attacks against Microsoft are also prohibited