Microsoft Announces Azure DevOps Bug Bounty Program

Better days are ahead for researchers as software giant Microsoft has launched a bug bounty program for the Azure cloud services and servers.

With rewards up to $20,000, Microsoft has announced that the program is open for researchers to discover and sniff out vulnerabilities in the Team Foundation Server and the Azure DevOps service – a platform meant for code development and collaboration purposes.

Azure DevOps is used by developers the world over for testing tools, package and artifact creation, project Git repo access, test pipelines, and other code related projects.

Microsoft disclosed in a blog post that the goal of the bounty program was to identify significant undiscovered flaws that have a demonstrable impact on the security of their huge customer base. The impact may include Elevation of Privilege, Spoofing, Information Disclosure, Tampering, Tampering, and Remote Code Execution.

Also, insecure deserialization, injection vulnerabilities, cross-tenant data tampering, cross-site scripting (XSS), server-side code execution are also part of the bug detection program.

Director of Engineering for Azure DevOps, Buck Hudges, announced that the company will continue to engage code reviews regularly to inspect the security of their infrastructure. The company will also be assembling a red team regularly to attack their own system to notice the weak links and vulnerabilities.

The bug bounty rewards range from $500 to the grand prize of $20,000. The maximum prize is rewarded to remote code execution discovery. But depending on the severity of the vulnerabilities discovered (high, medium, low), some of the payouts are pegged at $10,000, $15,000 and $20,000.

Microsoft also noted that higher prizes are also possible but it will be based on the entry nature and quality and the company’s sole discretion.

The company tasked researchers to provide a video or essay documenting their discoveries, together with a Proof-of-concept (PoC) to enable their in-house engineers to reproduce the bug.

Microsoft isn’t the only tech company to organize bounty programs such as this. Only last year, Intel offered up to $250,000 for identification of high-severity flaws. Google and Facebook had also opened bounty programs to developers to spot the flaws in their systems.

Microsoft currently runs 9 other bounty programs, the highest being awarded for vulnerabilities in Hyper-V ($250,000).