Microsoft Lab Offers $300K For Working Azure Exploits

Microsoft says its Azure Security Lab will allow researchers to attack its cloud environment in a customer-safe way.

Las Vegas – In an attempt to sniff out bugs in its Azure cloud platform, Microsoft announced at Black Hat USA 2019 on Monday that it will offer rewards of up to $300,000 for researchers who launch successful test exploits for the platform.

Microsoft has launched a dedicated Azure cloud host testing environment, dubbed Azure Security Lab. The exclusive program will allow security researchers to test attacks on infrastructure-as-a-service (IaaS) scenarios without impacting customers. These hosts are isolated from the Azure production environments that customers use, meaning that researchers will have more flexibility to research and test live exploits.

“The isolation of the Azure Security Lab allows us offer something new: Researchers can not only research vulnerabilities in Azure, they can attempt to exploit them,” said Kymberlee Price, principal security PM manager for the Microsoft Community and Partner Engagement Programs, in a blog post on Monday. “To make it easier for security researchers to confidently and aggressively test Azure, we are inviting a select group of talented individuals to come and do their worst to emulate criminal hackers in a customer-safe cloud environment called the Azure Security Lab.”

Researchers with access to the Azure Security Lab may also attempt scenario-based challenges with top awards of $300,000. Starting on Monday, researchers can apply at Microsoft’s website.

In addition to Azure Security Lab, Microsoft announced that it will double its bug-bounty rewards for researchers who discover Azure vulnerabilities.

Microsoft in January launched a new bug-bounty program designed to sniff out flaws in Azure DevOps with top rewards of up to $20,000. Now, the software giant is increasing those top rewards to $40,000.

Azure DevOps is a cloud service launched in 2018 that enables collaboration on code development across the breadth of a development lifecycle. The two in-scope services for the bounty program include Azure DevOps Services (formerly Visual Studio Team Services) and the latest publicly available versions of Azure DevOps Server and Team Foundation Server.

It’s only the latest bug bounty program started by the tech giant; in fact, Microsoft said that it has issued $4.4 million dollars in bounty rewards over the past 12 months across various programs.

In July, Microsoft kicked off a bug-bounty program, offering payouts as high as $100,000 for holes in identity services and implementations of the OpenID standard. These include Microsoft Account and Azure Active Directory, which offer identity and access capabilities for both consumer and enterprise applications – as well as its OpenID authentication protocol.

And in March, in the wake of the Meltdown and Spectre flaws, Microsoft started a new bug bounty program targeting speculative execution side-channel vulnerabilities. That limited time program operated until December  31, and offers up to $250,000 for identifying new categories of speculative execution attacks that Microsoft and other industry partners are not yet aware of.

Microsoft on Monday also implemented safe harbor terms, conditions clearly outlining how researchers, who are acting in good faith, can report bugs without facing legal repercussions.

“Microsoft is committed to ensuring our cloud is secure from modern threats,” said Price. “We built Azure with security in mind from the beginning, and work to help customers secure their Azure cloud environment with products such as Azure Sentinel and Azure Security Center. And if a situation arises, our Cloud Defense Operation Center (CDOC) and security teams work around the clock to identify, analyze and respond to threats in real time.”

Black Hat USA 2019 has kicked off this week in Las Vegas. For more Threatpost breaking news, stories and videos from Black Hat and DEF CON, click here.

Suggested articles