Microsoft launches Azure DevOps bug bounty program, $20,000 rewards on supply

This text initially appeared on ZDNet.

Microsoft has launched a brand new bug bounty program for the Azure DevOps cloud service with rewards of as much as $20,000 on supply for researchers.

On Thursday, Microsoft revealed the bug bounty scheme is now open for researchers prepared to assist enhance the safety of Azure DevOps, a cloud-based platform used for code growth collaboration functions.

Azure DevOps is utilized by builders worldwide to work on code-related tasks and contains check pipelines, non-public Git repo entry, package deal and artifact creation, and testing instruments.

See additionally: Home windows 10 19H1: Microsoft pushes its providers with ‘Make Home windows even higher’ immediate

Based on Jarek Stanley, Microsoft Safety Response Heart (MSRC) Senior Program Supervisor, the brand new program is “devoted to offering rock-solid safety for our DevOps prospects.”

Bug bounty awards vary from $500 to $20,000. Probably the most severe bugs leading to distant code execution (RCE) are eligible for the utmost award however relying on severity — ranked as “excessive,” “medium,” and “low” — payouts are pegged at $10,000, $15,000, or $20,000.

Along with RCE vulnerabilities, Microsoft can be awarding researchers for bug studies referring to privilege escalation, data disclosure, spoofing, and system tampering.

CNET: Apple’s Tim Cook dinner calls for brand spanking new laws to guard your private knowledge

Cross-site scripting (XSS) flaws, cross-site request forgery (CSRF), cross-tenant knowledge tampering and entry, insecure direct object references, insecure deserialization, injection bugs, server-side code execution, and any “vital” safety misconfigurations unearthed by bug bounty hunters are all acceptable underneath the phrases of this system,

Nonetheless, denial-of-service bugs have been deemed out of scope and won’t be rewarded.

The total payout checklist is under:


Picture: Microsoft

Researchers should present a write-up or video documenting their findings, an outline of the vulnerability, and proof-of-concept (PoC) code which is able to allow engineers to copy the bug and potential assaults.

Microsoft isn’t the one main tech vendor selecting to broaden their bug bounty packages. In February final yr, Intel opened up its program to the general public and dangled rewards of as much as $250,000 for high-severity flaws with aspect channel vulnerabilities of specific curiosity.

TechRepublic: How to connect with VNC utilizing SSH

Google then selected to broaden its bug bounty program in August to incorporate exterior assault strategies and vectors which menace actors may exploit to bypass abuse and fraud safety programs.

Fb now awards as much as $40,000 for account takeover vulnerabilities and also will reward hunters for studies of consumer token publicity issues.

The European Union has additionally lately turn out to be concerned within the bug bounty trade by promising to fund bug bounty packages for open-source tasks together with KeePass, 7-zip, VLC Media Participant, Drupal, and FileZilla.

Cybersecurity Insider Publication

Strengthen your group’s IT safety defenses by holding abreast of the most recent cybersecurity information, options, and finest practices.
Delivered Tuesdays and Thursdays

Join as we speak

Additionally see

Leave a Reply

Your email address will not be published. Required fields are marked *