Bounties used to be put on people's heads. Now it feels like they're all going to bugs--many companies have introduced programs that pay researchers who discover and disclose problems with their products. Microsoft added one more program to the list with the new Microsoft Identity Bounty Program, which offers payments of up to $100,000 to anyone who finds a flaw in the identity services used by its many platforms.
Microsoft's ecosystem can encapsulate significant portions of people's lives. Someone might use Windows 10 on their PC, manage their email via Outlook, and conduct business in Office. Given the sensitive nature of most of these products--nobody wants their emails compromised or their Next Great Novel read before it's ready--it's vital for Microsoft to protect users' identities. That's why it announced this Identity Bounty Program.
The new program specifically covers flaws in various Microsoft websites, from Azure to Outlook, as well as the Microsoft Authenticator app used for two-factor authentication on iOS and Android devices. It also covers problems with some OpenID standards and Microsoft's implementation of them. (The company isn't willing to foot the bill for bugs found in every OpenID standard, which makes sense given that it doesn't use all of 'em.)
Payments are based on the severity of a flaw and where it's found. The bounties range from at least $500 for incomplete submissions in some categories to as high as $100,000 for "high quality submissions" related to bypassing multi-factor authentication. You can find more about what Microsoft is looking for, what it doesn't want researchers to waste time on, and how much it's willing to pay on its page about the program.
This is just the latest of Microsoft's bug bounties. The company will also pay researchers to disclose security problems in Windows or speculative execution flaws, like Meltdown and Spectre, in processors. Many other companies do the same for their products. It's 2018--the assumption is that someone will find a security hole in something. These programs encourage responsible disclosure instead of criminal exploitation.
