Microsoft offers $100,000 for finding bugs

Microsoft launched a new bug bounty program for finding cybersecurity vulnerabilities in its services.
Because hacking into networks and stealing data have become common and easier than ever, Microsoft now offers $100,000 for finding bugs inside their services; since new, digital identities of customers are usually the key to accessing services and interacting across the Internet.

Nowadays cybersecurity depends on the collaborative communication of identities and identity data within, and across domains; that’s why Microsoft invested heavily in the creation, implementation, and improvement of identity-related specifications that uses strong authentication, secure sign-on, sessions, API security, and other critical infrastructure tasks.
The all-new independent bug bounty program is named Microsoft Identity Bounty Program; the new bug bounty program covers Microsoft Account and Azure Active Directory identity solutions, and some implementations of the OpenID specifications.

In order to stay away from any threats like this, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running.
If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
The payouts range from $500 to $100,000, depending upon the impact and severity of the found bug. “Submissions for standards protocol or implementation bounties need to be with a fully ratified identity standard in the scope of this bounty and have discovered a security vulnerability with the protocol implemented in our certified products, services, or libraries,” Microsoft said about their program.
If you want to take part in this bounty program, you’ll need to find a bug and share your knowledge and expertise about it with Microsoft developers and engineers

Only if you meet the following condition you will be eligible for payouts from Microsoft:
• Identify an original and previously unreported critical or important flaw that reproduces in Microsoft’s Identity services listed within scope.
• Identify an original and previously unreported flaw that results in the taking over of a Microsoft Account or Azure Active Directory Account.
• Identify an original and previously unreported flaw in listed OpenID standards or with the protocol implemented in Microsoft’s certified products, services, or libraries.
• Submit against any version of Microsoft Authenticator application, but bounty awards will only be paid if the vulnerability reproduces against the latest, publicly available version.
• Include a description of the issue you found and concise reproducibility steps that are easily understood.
• Include the impact of the vulnerability.
• Include an attack vector if not obvious.

All vulnerabilities must impact one of the following login tools:
• login.windows.net
• login.microsoftonline.com
• login.live.com
• account.live.com
• account.windowsazure.com
• account.activedirectory.windowsazure.com
• credential.activedirectory.windowsazure.com
• portal.office.com
• passwordreset.microsoftonline.com
• Microsoft Authenticator for iOS and Android applications

Keep in mind that higher payouts are given based on the quality of your report and the security impact of the vulnerability you found.

We would continue to monitor this bounty program. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.