Microsoft Identity Bounty Program

A high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write up or video containing any required background information, a description of the bug, and an attached proof of concept (PoC). Sample high- and low-quality reports are available here.  

We won’t reduce report quality ratings for issues that are difficult to reproduce or understand due to their complexity.

GETTING STARTED

You must create test accounts and test tenants for security testing and probing.

• For Azure services, you can start a free trial to use as your test account here. https://azure.microsoft.com/en-us/free/
• For Microsoft Account, you can set up your test account here. http://signup.live.com/

In all cases, where possible, include the string “MSOBB” in your account name and/or tenant name in order to identify it as being in use for the bug bounty program.

Please include a Correlation ID to ensure accurate and timely assessment of your case. 

OUT OF SCOPE SUBMISSIONS AND VULNERABILITIES

• Publicly-disclosed vulnerabilities which have already been reported to Microsoft or are already known to the wider security community 
• Issues without clearly identified security impact (such as clickjacking on a static website), missing security headers, or descriptive error messages
• Out of scope vulnerability types, including:
  • Server-side information disclosure such as IPs, server names and most stack traces 
  • Low impact CSRF bugs (such as logoff) 
  • Denial of Service issues
  • Sub-Domain Takeovers 
  • Cookie replay vulnerabilities 
  • URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability) 
  • Password, email and account policies, such as email id verification, reset link expiration, password complexity
  • Vulnerabilities in a web application that only affect unsupported browsers and plugins
• Vulnerabilities that are addressed via product documentation updates, without change to product code or function.
• Vulnerabilities based on user configuration, user action, or physical access, for example: 
  • Vulnerabilities requiring extensive or unlikely user actions 
  • Vulnerabilities in user-created content or applications. 
  • Security misconfiguration of a service by a user, such as the enabling of HTTP access on a storage account to allow for man-in-the-middle (MiTM) attacks 
  • Submissions that require manipulation of data, network access, or physical attack against Microsoft offices or data centers and/or social engineering of our service desk, employees or contractors
  • Two-factor authentication bypass that requires physical access to a logged-in device
  • Local access to user data when operating a rooted mobile device
  • Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) 
  • Vulnerabilities requiring preconditions such as running malware, access to local network or devices, or man-in-the-middle attacks
• Vulnerabilities based on third parties, for example: 
  • Vulnerabilities in third party software provided by Azure such as gallery images and ISV applications
  • Vulnerabilities in platform technologies that are not unique to the online services in question (for example, Apache or IIS vulnerabilities) 
  • Vulnerabilities in third party sites redirected to during authentication 
  • Vulnerabilities in the operating system code not owned by Microsoft 
  • Vulnerabilities in the 3rd party integration code with the Microsoft Identity platform and brokers 
• Reports from automated tools or scans
• Training, documentation, samples, and community forum sites related to Identity products and services are not in scope for bounty awards unless otherwise listed in "In-Scope Domains and Endpoints"
• Vulnerabilities in other Microsoft Products:
  • These submissions may be eligible for a bounty through another Bounty program. Please see our full list of Bounty Programs for other bounty eligible Microsoft products and services.
  • Issues resulting from misconfiguration or implementation of Authenticator libraries and brokers within other products will be awarded under the bounty programs for the products ingesting the applications.   
• Limitation on Standards-based vulnerabilities
  • Any of the following criteria would exclude a standards based vulnerability from qualifying for bounty:
    • Standards with a status of draft, candidate release, or implementation draft. Issues with candidate, implementation, or draft standards should be reported directly to the standards body in question as part of the normal standards creation process.
    • In specifications not explicitly listed.
    • In non-certified implementations of Microsoft products and services.

RESEARCH RULES OF ENGAGEMENT

To maintain the security and integrity of our services, all participants in Microsoft's bounty programs must strictly adhere to the Microsoft Security Testing Rules of Engagement (ROE). These guidelines are crafted to enable security researchers to assess the security of Microsoft Online Assets effectively while ensuring that other customers and infrastructure remain unaffected. For comprehensive details about these rules, please consult the Microsoft ROE website.

If you accidentally access unauthorized data, stop immediately. Notify MSRC with the details, delete the data, and acknowledge this in any bug bounty report. Do not share the accessed information.

Prohibited Activities

Engaging in the disruption, compromise, access, storage, or damage of data or property without explicit written consent from the owner, or adversely affecting Microsoft services for other users, is strictly prohibited. Specific prohibited activities include but are not limited to:

• Accessing customer or Microsoft data and testing customer systems without explicit permission: Any interaction with data or systems that you do not own or have explicit permission to access is prohibited. This includes accessing customer data, Microsoft data, or testing systems that belong to customers.
  • Example: Extracting training data, model architectures, model weights, training code, customer documents, metadata, names, configuration files, system logs, or any other unauthorized data.
• Using credentials or other secrets that are not your own. This includes any credentials or secrets that you do not own, regardless of how they are obtained, including those that were leaked publicly.
• Interacting with storage accounts that are not part of your subscription or that you do not own.
• Performing denial-of-service testing.
• Executing network-intensive fuzzing or automated testing that generates excessive traffic.
• Conducting phishing or social engineering attacks targeting Microsoft employees or using Microsoft services to perform phishing or other social engineering attacks against others.

Even with these restrictions in place, Microsoft retains the authority to respond to any actions conducted on its networks that are deemed malicious in nature.

ADDITIONAL INFORMATION 

For additional information, please see our FAQ.  

• If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission. 
• If a duplicate report provides us new information that was previously unknown to Microsoft, we may award a differential to the duplicate submission.  
• If a submission is potentially eligible for multiple bounty programs, you will receive the single highest payout award from a single bounty program 
• Microsoft reserves the right to reject any submission at our sole discretion that we determine does not meet these criteria. 

Thank you for participating in the Microsoft Bug Bounty Program! 

REVISION HISTORY

• December 6, 2018: Revision history section added.
• October 23, 2019: Revised reward model to include security impact, severity, and report quality. Revised bounty brief language to align with our other cloud programs.
• January 16, 2020: Added link to Research Project Grant
• February 24, 2022: Added clarification that vulnerabilities addressed via product documentation updates are out of scope.
• June 09, 2023: Added Identity Graph APIs to in scope. Added B2C to scope with a product-specific awards table.
• September 1, 2023: Added signup.live.com to in scope.
• March 19, 2024: Added Authenticator Lite and Authenticator Broker apps to scope (iOS and Android)
• August 28, 2024: Added adminwebservice.microsoftonline.com, api.mysignins.microsoft, and provisioningapi.microsoftonline.com to scope
• August 29, 2024: Clarified out of scope for vulnerabilities requiring preconditions such as running malware, access to local network or devices, or man-in-the-middle attacks
• November 19, 2024: Temporary 50% increase in High Impact Scenario amounts and eligible security impacts for Zero Day Quest event.
• February 11, 2025: Added Correlation ID to getting Eligible Submissions and Getting Started sections.
• March 3, 2025: Removed reference to Zero Day Quest and bonus multipliers as the research challenge ended.
• May 13, 2025: Updated Research Rules of Engagement section.
• July 18, 2025: Added mysignins.microsoft.com, myaccount.microsoft.com, myaccess.microsoft.com, myapps.microsoft.com, microsoftazuread-sso.com, accounts.accesscontrol.windows.net.