Microsoft launches Identity Bounty program

Modern security depends today on collaborative communication of identities and identity data within and across domains.  A customer’s digital identity is often the key to accessing services and interacting across the internet.  Microsoft has invested heavily in the security and privacy of both our consumer (Microsoft Account) and enterprise (Azure Active Directory) identity solutions.  We have strongly invested in the creation, implementation, and improvement of identity-related specifications that foster strong authentication, secure sign-on, sessions, API security, and other critical infrastructure tasks, as part of the community of standards experts within official standards bodies such as IETF, W3C, or the OpenID Foundation.  In recognition of that strong commitment to our customer’s security we are launching the Microsoft Identity Bounty Program.

The Microsoft Identity Bounty Program places a premium on security research into this critical technology that powers both consumer and enterprise services.  Payouts range from $500 to $100,000.  If you are a security researcher and have discovered a security vulnerability in the Identity services, we appreciate your help in disclosing it to us privately and giving us an opportunity to fix it before publishing technical details.  Further in our commitment to the industry identity standards work that we have worked hard with the community to define, we are extending our bounty to cover those certified implementations of select OpenID standards.  More details and rules for the bounty program can be found here:

Happy hunting!

Phillip Misner,

Principal Security Group Manager

Microsoft Security Response Center