Microsoft Identity Bounty | MSRC (original) (raw)

PROGRAM DESCRIPTION

Microsoft continues to invest heavily in the security and privacy of both our consumer (Microsoft Account) and enterprise (Azure Active Directory) identity solutions. We have focused on the creation, implementation, and improvement of identity-related specifications that foster strong authentication, secure sign-on, sessions, API security, and other critical infrastructure tasks, as part of the community of standards experts within official standards bodies such as IETF, W3C, or the OpenID Foundation.

Qualified submissions are eligible for bounty awards from 750to750 to 750to100,000 USD. This includes third-party and open-source components included in the service. Please note that qualifying reports must demonstrate a qualifying security impact on the specified service.

In conjunction with our collaboration with the OpenID standards community, our bounty includes certified implementations of select OpenID standards.

ELIGIBLE SUBMISSIONS

The goal of the Microsoft Bug Bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers.

In addition to the eligibility requirements listed on the Bounty Program Guidelines page, vulnerability submissions must meet the following criteria to be eligible for bounty awards:

• Identify a previously unreported critical or important vulnerability that results in an in-scope security impact and meets any of the below criteria:
  • Reproduces in the latest, publicly available version of in-scope Microsoft Identity services
  • Results in the taking over of a Microsoft Account or Azure Active Directory Account
  • Is listed in OpenID standards or with a OpenID-compliant protocol and is implemented in our certified products, services, or libraries
• Includes all the following information:
  • A description of the issue and concise reproducibility steps that are easily understood
  • The impact of the vulnerability
  • Attack vector if not obvious
  • Correlation ID

We request researchers include the following information to help us quickly assess their submission:

• Submit through the MSRC Researcher Portal.

Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.

SCOPE

Vulnerabilities submitted in the following Product(s) are eligible under this bounty program:

• login.windows.net
• login.microsoftonline.com
• login.live.com
• account.live.com
• account.microsoft.com
• signup.live.com
• account.windowsazure.com
• account.activedirectory.windowsazure.com
• credential.activedirectory.windowsazure.com
• passwordreset.microsoftonline.com
• Microsoft Authenticator (iOS and Android applications)*
• Microsoft Authenticator Broker (iOS and Android applications)*
• Microsoft Authenticator Lite (iOS and Android applications)*
• graph.microsoft.com APIs that originate in and impact the Identity Authentication workflow, listed under the Directory Management, Governance, and Identity and Sign In tabs in the Working with Azure Active Directory Resources in Microsoft Graph V1.0 page
• Azure Active Directory B2C (awarded under the B2C Awards table)
• adminwebservice.microsoftonline.com
• api.mysignins.microsoft.com
• provisioningapi.microsoftonline.com
• myaccess.microsoft.com
• myapps.microsoft.com
• myaccount.microsoft.com
• microsoftazuread-sso.com
• mysignins.microsoft.com
• accounts.accesscontrol.windows.net

* For mobile applications: research must reproduce on the latest version of the application and mobile operating system.

Standards Scope:

Microsoft products and services Certified Implementations listed here.

• OpenID Foundation - The OpenID Connect Family
• OpenID Connect Core
• OpenID Connect Discovery
• OpenID Connect Session
• OAuth 2.0 Multiple Response Types
• OAuth 2.0 Form Post Response Types

Please note: Submissions for standards, protocols, or implementation bounties must be submitted with a fully ratified identity standard in scope of this bounty and have discovered a security vulnerability with the standard or protocol implemented in our certified products, services, or libraries.

Standards professionals with contributions or affiliations to identity standards working groups are not eligible to receive standards-related bounties.

GETTING STARTED

Please follow the guidance below to create a test account for security testing and probing. Additionally, please follow the Research Rules of Engagement to avoid harm to customer data, privacy, and service availability.

• For Azure services, you can start a free trial to use as your test account here: https://azure.microsoft.com/en-us/free/
• For Microsoft Account, you can set up your test account here: http://signup.live.com/

In all cases, where possible, include the string “MSOBB” in your account name and/or tenant name in order to identify it as being used for security research.

Please include a Correlation ID to ensure accurate and timely assessment of your case.

BOUNTY AWARDS

Bounty awards range from 750upto750 up to 750upto100,000 USD. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. If a single submission is eligible for multiple awards, the submission will be awarded the single highest qualifying award.

Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgement if their submission leads to a vulnerability fix; they may also earn points in our Researcher Recognition Program to receive swag and secure a place on the Microsoft Most Valuable Researcher list.