First published on CloudBlogs on Jul 23, 2018
Hey there! Alex Weinert from the Microsoft Identity Division’s Security and Protection team here. I wanted to take a moment to highlight a big power-up to the Microsoft Identity Bounty Program! The program is all about inviting the security research community to help us identify existing or emerging threats that could harm our users. We previewed some exciting enhancements to the program at the Identiverse conference a few weeks ago and formally announced them July 19, 2018 . Here are the key enhancements:
Hey there! Alex Weinert from the Microsoft Identity Division’s Security and Protection team here. I wanted to take a moment to highlight a big power-up to the Microsoft Identity Bounty Program! The program is all about inviting the security research community to help us identify existing or emerging threats that could harm our users. We previewed some exciting enhancements to the program at the Identiverse conference a few weeks ago and formally announced them July 19, 2018 . Here are the key enhancements:
- Identity standards bounties —Building a great security story with identity as the control plane requires fantastic standards-based interoperability. OAuth 2.0, Open ID Connect, and FIDO 2.0 (among others) all play a huge role in making this happen. To ensure key identity standards are as secure as they can be from day one, we are paying a bounty on select ratified standards, starting today with the Open ID Connect family of specifications, developed at the OpenID Foundation .
- Sensitive user data bounties —You’ve seen the headlines—OAuth consent and data extraction incidents are on the rise. Because of our deep commitment to user privacy and enterprise data confidentiality, we are paying bounties on collections of inappropriately shared sensitive user data (this adds to our existing bounties on vulnerabilities that expose this data).
- Increased bounties —In recognition of the critical role cloud identity plays in your security strategy, we are substantially increasing the bounties we pay on vulnerabilities in our identity systems—up to $100,000 in some cases.