Microsoft this week expanded its bug bounty program to include security vulnerabilities in its identity services.
The software giant launched the Microsoft Identity Bounty Program, which offers payouts between $500 and $100,000 for vulnerabilities reported in Microsoft’s identity services. The scope of the identity bounty includes both consumer and enterprise services — Microsoft Accounts and Azure Active Directory, respectively — as well as login tools such as login.live.com, account.windowsazure.com, portal.office.com and the Microsoft Authenticator for iOS and Android applications.
In addition, Microsoft said the identity bounty will be available for bugs reported in the company’s implementations of specific OpenID standards.
“If you are a security researcher and have discovered a security vulnerability in the Identity services, we appreciate your help in disclosing it to us privately and giving us an opportunity to fix it before publishing technical details,” wrote Phillip Misner, principal security group manager for the Microsoft Security Response Center, in a blog post. “Further in our commitment to the industry identity standards work that we have worked hard with the community to define, we are extending our bounty to cover those certified implementations of select OpenID standards.”
The expanded bug bounty program will pay up to $100,000 for the most serious vulnerabilities, including design vulnerabilities in identity standards and bypasses for multifactor authentication. Standards-based implementation flaws will pay a maximum of $75,000, while “significant” authentication bypasses will pay a maximum of $40,000.
The identity bounty program is the latest expansion of Microsoft’s bug bounty efforts. In 2015, the company announced a major expansion of its bug bounty program that included Microsoft’s Azure platform as well as specific vulnerabilities for its Hyper-V virtualization software.
A pseudonymous security researcher has struck it big for the second time, earning the top Google bug bounty in the Chrome Reward Program.
The researcher, who goes by the handle Gzob Qq, notified Google of a Chrome OS exploit on Sept. 18, 2017 that took advantage of five separate vulnerabilities in order to gain root access for persistent code execution.
Google patched the issues in Chrome OS version 62, which was released on Nov. 15th. The details of the exploit chain were then released, showing Gzob Qq used five flaws to complete the system takeover.
Gzob Qq earned a Google bug bounty of $100,000 for the find, which is the top prize awarded as part of the Chrome Reward Program. Google first increased the Chrome bug bounty reward from $50,000 to $100,000 in March 2015 and since then, this is the second time Gzob Qq has earned that prize.
In September 2016, Gzob Qq notified Google of a Chrome OS exploit chain using an overflow vulnerability in the DNS client library used by the Chrome OS network manager.
In addition to the Google bug bounty, Gzob Qq has also received credit for disclosing flaws in Ubuntu Linux.
Google and HackerOne have partnered to start a new Google Play bug bounty program that incentivizes testers to find critical vulnerabilities in popular Android apps.
The Google Play Security Reward Program is designed to be complementary to Android bug bounty programs run by developers themselves. The Google Play bug bounty is $1,000 for any qualifying vulnerability, paid as a bonus to any other bounties offered.
To be eligible for the Google Play bug bounty, researchers will need to first submit the vulnerability to the original developer of an app. After the vulnerability has been patched, the researcher can request the reward from the Google Play bug bounty program, which is officially named the Google Play Security Reward Program.
At the start of the program, Google will only pay the bonus for remote code execution (RCE) vulnerabilities and proof of concept exploits running on Android version 4.4 KitKat and newer. And, the Google Play bug bounty will only be paid for flaws found in apps from just nine developers, including Dropbox, Line, Snapchat and Google, but more developers are expected to be added over time.
Qualifying RCE flaws must be exploitable through a singular app and cannot depend on vulnerabilities in other apps, and will have had to be patched in the 90 days prior to applying for Google Play Security Reward Program’s reward.
“As the Android ecosystem evolves, we continue to invest in leading-edge ideas to strengthen security,” Vineet Buch, director of product management for Google Play, said in the HackerOne announcement. “Our goal is continue to make Android a safe computing platform by encouraging our app developers and hackers to work together to resolve unknown vulnerabilities, we are one step closer to that goal.”