Microsoft's bug bounty program is a shell of its former self. They quietly disqualified a lot of high-impact findings in 2023.
In my own experience:
- Leaked service principal credentials granting access to their tenant? $0 bounty.
- Leaked employee credentials granting access to generate privileged tokens? $0 bounty.
- Access to private source code? $0 bounty.
Etc.
I will forever remain radicalized how every tech company decided to just say fuck it in 2023. (ex-Google and left in 2023 over similar shenanigans)
Should be a major public reckoning over this. But there can't be, they hold the cards, the only real view of this you'd have is day-to-day on Blind and some occasional posts that stir honest discussion here.
I guess we just get to grin and bear it while they give gold statues and millions to the right politicians.
It’ll come. Can’t say in what form, but the reckoning will come. Probably anti trust, or anti tech regulations as the public hatred of the tooligarchs grows. The problem with being out of touch is you can’t see the ground shifting beneath your feet.
Corporations getting regulated out of existence is unlikely.
Fwiw, the way it works is that Microsoft doesn't really have a bug bounty program. Individual Microsoft teams have bug bounty programs (or not). Platform teams like Entra, Windows, and Azure have robust programs. However, when teams that operate on top of platforms misconfigure those platforms (as happened here), those bugs are owned by the teams that operate on top of the platform, not by the platform.
That's some exceptionally shallow thinking on their part. I think may people would agree that part of the vulnerability is the authentication configuration options do not map well onto real world use cases, the documentation surrounding this is absent or confusing, and even internal teams that should know better are creating insecure services an alarming percentage of the time.
This is what I like about actual safety culture, like you would find in aviation, _all causes_ are to be investigated, all the way back to the shape, size and position of the switches on the flight deck.
It's difficult to take Microsoft's stance seriously. It makes the prices for their "service" seem completely unjustifiable.
Access to private source code?
Have they already gotten so drunk on "zero trust" that they don't think it should matter if attackers see their source code? Then again, they are open-sourcing a ton of stuff these days...
I think they just don't care.
Their SECURITY.md mentions bug bounties, yet if your submission has anything to do with GitHub it's immediately disqualified. They refuse to remove that (in my opinion) misleading language.
https://github.com/microsoft/.github/blob/main/SECURITY.md
They need the money for AI data centers