Microsoft announced yesterday the launch of new Identity Bounty Program, aiming to encourage security researchers to discover new vulnerabilities in consumer and enterprise digital identity services. The new bounty program will cover Microsoft’s own identity solutions including Azure AD and Microsoft Authenticator, as well as what the companies decribes as “certified implementations of select OpenID standards.”
"We have strongly invested in the creation, implementation, and improvement of identity-related specifications that foster strong authentication, secure sign-on, sessions, API security, and other critical infrastructure tasks, as part of the community of standards experts within official standards bodies such as IETF, W3C, or the OpenID Foundation," explained Phillip Misner, Principal Security Group Manager at the Microsoft Security Response Center. "In recognition of that strong commitment to our customer’s security we are launching the Microsoft Identity Bounty Program."
Payouts to security researchers will range from $500 for incomplete submissions to $100,000 for high-quality submissions. “Security researchers are encouraged to provide as much data at the time of submission to be more likely of the highest payout possible," Microsoft explained, and you can learn more about to participate by checking out the full program description.