Microsoft this week launched a new Identity Bounty program offering serious coin for information about security vulnerabilities affecting its identity services.

"A customer's digital identity is often the key to accessing services and interacting across the internet," the Microsoft Security Response Center team wrote in a Tuesday blog post. "We have strongly invested in the creation, implementation, and improvement of identity-related specifications that foster strong authentication, secure sign-on, sessions, API security, and other critical infrastructure tasks. In recognition of that strong commitment to our customer's security we are launching the Microsoft Identity Bounty Program."

The program covers flaws affecting login.windows.net, login.microsoftonline.com, login.live.com, account.live.com, account.windowsazure.com, account.activedirectory.windowsazure.com, credential.activedirectory.windowsazure.com, portal.office.com, passwordreset.microsoftonline.com, and the Microsoft Authenticator iOS and Android apps.

Rewards for qualifying submissions range from $500 to $100,000. To be eligible for a bounty, submissions must identify an original and previously unreported flaw that allows for the takeover of a Microsoft account or Azure Active Directory account.

"Higher payouts are given based on the quality of the report and the security impact of the vulnerability," Microsoft advised. "Security researchers are encouraged to provide as much data at the time of submission to be more likely of the highest payout possible. We typically reward lower amounts for vulnerabilities that require significant user interaction."

The program does not cover denial of service issues, flaws in third party software, bugs that require "unlikely user actions," or methods of bypassing two-factor authentication that require physical access to a logged-in device. For full program details, head here.

Microsoft has several other active bug bounty programs offering maximum payouts ranging from $15,000 to $250,000.

PC Magazine