Microsoft annouces Identity Bounty Program for the Consumer and Enterprise


Digital id is known as the important thing to accessing enterprise functions and providers throughout the Web. Microsoft is all into this enterprise. With the providers like Microsoft Account for the shoppers and Azure Lively Listing for the enterprise, Microsoft is dedicated to defending consumer’s Digital Id and even make it higher. Now, yesterday Microsoft introduced their all new Id Bounty Program for safety researchers. Upon discovering flaws in Microsoft’s scope of merchandise, just like the Microsoft Id providers as an illustration, these Safety Researchers can be paid from $500 to $100,000.
Microsoft Id Bounty Program

In case, a safety researcher finds a safety vulnerability within the providers listed by Microsoft, they will disclose that vulnerability to Microsoft privately and permit them to repair that vulnerability earlier than publishing the technical outcomes after which they are going to be rewarded. They’re additionally extending its bounty to cowl these licensed implementations of choose OpenID requirements.
The next web sites and providers come below the scope of this program:

login.home windows.web
Microsoft Authenticator (iOS and Android functions)

And the next factors exit of scope:

Reviews from automated instruments or scans
Points with out clearly recognized safety influence (similar to clickjacking on a static web site), lacking safety headers, or descriptive error messages
Password, e mail and account insurance policies, similar to e mail id verification, reset hyperlink expiration, password complexity
Safety misconfiguration of a service by a consumer, such because the enabling of HTTP entry on a storage account to permit for man-in-the-middle (MiTM) assaults
Requirements-based Vulnerabilities in any specification with a standing of draft, candidate launch, or implementation draft. Points with candidate, implementation, or draft requirements ought to be reported on to the requirements physique in query as a part of the traditional requirements creation course of.
Requirements-based Vulnerabilities in specs not explicitly listed.
Requirements-based vulnerabilities in non-certified implementations of Microsoft services and products.
Lacking HTTP Safety Headers (similar to X-FRAME-OPTIONS) or cookie safety flags (similar to “httponly”)
Server-side data disclosure similar to IPs, server names and most stack traces
Denial of Service points
Vulnerabilities requiring unlikely consumer actions
Publicly-disclosed vulnerabilities that are already recognized to Microsoft and the broader safety neighborhood
Vulnerabilities in third social gathering software program supplied by Azure similar to gallery pictures and ISV functions
Vulnerabilities within the net utility that solely have an effect on unsupported browsers and plugins
Vulnerabilities used to enumerate or affirm the existence of customers or tenants
Submissions that require manipulation of information, community entry, or bodily assault towards Microsoft workplaces or knowledge facilities and/or social engineering of our service desk, workers or contractors won’t be accepted
Two-factor authentication bypass that requires bodily entry to a logged-in machine
Native entry to consumer knowledge when working a rooted cell machine

You possibly can learn extra about this program right here.

Ayush has been a Home windows fanatic because the day he obtained his first PC with Home windows 98SE. He’s an lively Home windows Insider since Day 1 and is now a Home windows Insider MVP. He has been testing pre-release providers on his Home windows 10 PC, Lumia, and Android gadgets.

Leave a Reply