Microsoft announced on Tuesday (July 17) a new program in which it will pay hackers between $500 and $100,000 if they can break into its digital identity services.
In a blog post, Microsoft said modern security depends on communications of identities and identity data within and across domains, and that a customer’s digital identity is often key to not only accessing services, but also interacting with them across the internet. As a result, Microsoft has invested heavily in the security and privacy of both consumer and enterprise identity solutions.
“We have strongly invested in the creation, implementation and improvement of identity-related specifications that foster strong authentication, secure sign-on, sessions, API security and other critical infrastructure tasks, as part of the community of standards experts within official standards bodies, such as IETF, W3C or the OpenID Foundation,” wrote Microsoft in the blog. “In recognition of that strong commitment to our customers’ security, we are launching the Microsoft Identity Bounty Program.”
According to the software giant, the Microsoft Identity Bounty Program places a premium on security research into digital identity services that power both consumer and enterprise services.
“If you are a security researcher and have discovered a security vulnerability in the Identity services, we appreciate your help in disclosing it to us privately and giving us an opportunity to fix it before publishing technical details,” the blog post continued. “Further, in our commitment to the industry identity standards that we have worked hard with the community to define, we are extending our bounty to cover those certified implementations of select OpenID standards.”
Microsoft isn’t the only one paying hackers to find bugs in its systems. In April, Uber said it is testing a bounty program that will allow researchers to donate their bounties to charity, with the company matching the contribution. The company is revising its policy to specify that it won’t pursue legal action against good-faith hackers who submit flaws through its bug bounty portal, which is hosted by HackerOne.