Microsoft re-launches Bounty Program: up to $100,000 in rewards

Microsoft recently launched a new Bug Bounty program to provide up to $100,000 in rewards for white-skinned engineers who have successfully found service vulnerabilities.

The newly launched Microsoft Identity bounty Bounty project requires security experts to discover and share security vulnerabilities in multi-factor authentication solutions, with rewards ranging from $500,000 to $100,000 depending on the level of vulnerability impact and the detected bypass level.

Microsoft said in the new bug Bounty program: “A high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write up containing any required background information, a description of the bug, and a proof of concept. We recognize that some issues are extremely difficult to reproduce and understand, and this will be considered when adjudicating the quality of a submission.“

According to the Bug Bounty Program, the biggest reward is to circumvent multi-factor authentication, and the smallest rewards are cross-site request forgery, authorization vulnerabilities, and incompletely submitted sensitive data leaks. After the whites found these vulnerabilities and sent them to Microsoft, they could get a minimum of $500 and a maximum of $100,000 based on Microsoft’s official rating.

Also, this round of bug Bounty covers the following:

login.Windows.net
login.microsoftonline.com
login.live.com
account.live.com
account.windowsazure.com
account.activedirectory.windowsazure.com
credential.activedirectory.windowsazure.com
portal.Office.com
passwordreset.microsoftonline.com