First published on CloudBlogs on Jul 23, 2018 (reposted due to incorrect byline)
Hey there! Alex Weinert from the Microsoft Identity Division’s Security and Protection team here. I wanted to take a moment to highlight a big power-up to the Microsoft Identity Bounty Program! The program is all about inviting the security research community to help us identify existing or emerging threats that could harm our users. We previewed some exciting enhancements to the program at the Identiverse conference a few weeks ago and formally announced them July 19, 2018. Here are the key enhancements:
Identity standards bounties—Building a great security story with identity as the control plane requires fantastic standards-based interoperability. OAuth 2.0, Open ID Connect, andFIDO 2.0(among others) all play a huge role in making this happen. To ensure key identity standards are as secure as they can be from day one, we are paying a bounty on select ratified standards, starting today with the Open ID Connect family of specifications, developed at theOpenID Foundation.
Sensitive user data bounties—You’ve seen the headlines—OAuth consent and data extraction incidents are on the rise. Because of our deep commitment to user privacy and enterprise data confidentiality, we are paying bounties on collections of inappropriately shared sensitive user data (this adds to our existing bounties on vulnerabilities that expose this data).
Increased bounties—In recognition of the critical role cloud identity plays in your security strategy, we are substantially increasing the bounties we pay on vulnerabilities in our identity systems—up to $100,000 in some cases.
Learn about the specifics on ourMicrosoft Identity Bounty Program website. This is our invitation to the best and brightest security minds to join us in our mission of protecting nearly 1 billion identities that use the Microsoft Identity platform to log in to the services and apps they love every day. Happy hunting!