Microsoft launches $20,000 Azure DevOps bug bounty programme

Critical remote code execution flaws are the highest-paid, while denial-of-service attacks earn nothing

Microsoft Azure

Security researchers who discover flaws in Microsoft's Azure DevOps platform could earn themselves up to $20,000, after the company announced its latest bug bounty programme.

The Microsoft Azure DevOps Services Bounty is the company's tenth concurrent bug bounty programme and covers Redmond's suite of cloud-based DevOps tools. Previously known as Visual Studio Team Services, these include continuous integration and continuous delivery (CI/CD) tools, Git repos, kanban boards, testing tools and more.

"Security has always been a passion of mine," said Microsoft's director of engineering for Azure DevOps, Buck Hodges, "and I see this program as a natural complement to our existing security framework. We'll continue to employ careful code reviews and examine the security of our infrastructure. We'll still run our security scanning and monitoring tools. And we'll keep assembling a red team on a regular basis to attack our own systems to identify weaknesses."

Rewards range from $500 all the way up to $20,000 at the top end, with payouts affected by a number of different factors. The quality of the report itself (meaning how easy the report makes it for Microsoft's engineers to understand, reproduce and fix the problem) is graded as either high, medium or low, with different bounties for each.

Different levels of compensation are also awarded based on the severity of the bug, but only 'critical' or 'important' bugs will qualify for a reward - disclosures of any other category of bug will merely earn a public acknowledgement from Microsoft, should the report lead to a fix.

Finally, the impact of the bug itself will be taken into consideration too. Remote code execution flaws are, understandably, the most valuable, followed by privilege escalation and information leaking, while tampering flaws are eligible only for a limited payout, and denial of service vulnerabilities are not rewarded at all.

Bug bounties are becoming an increasingly common security measure among large companies, with the idea being to make it more valuable to responsibly disclose the flaw to the victim than to exploit it for personal gain.

Major organisations like Facebook, Apple, and Google all offer their own bug bounty programmes, and the practice is touted as a good way to ensure that fewer flaws and exploits appear in the wild.

Featured Resources

How to scale your organisation in the cloud

How to overcome common scaling challenges and choose the right scalable cloud service

Download now

The people factor: A critical ingredient for intelligent communications

How to improve communication within your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Recommended

Microsoft targets tab hoarders with new Edge features
web browser

Microsoft targets tab hoarders with new Edge features

5 Mar 2021
Monero miners target cloud-native development environments
cryptocurrencies

Monero miners target cloud-native development environments

5 Mar 2021
CISA orders agencies to fix Microsoft vulnerabilities abused by Chinese hackers
Security

CISA orders agencies to fix Microsoft vulnerabilities abused by Chinese hackers

4 Mar 2021
IT security awareness and training firm KnowBe4 acquires MediaPRO
Acquisition

IT security awareness and training firm KnowBe4 acquires MediaPRO

3 Mar 2021

Most Popular

Star Alliance passenger data stolen in SITA data breach
data breaches

Star Alliance passenger data stolen in SITA data breach

5 Mar 2021
I went shopping at Amazon’s till-less supermarket so that you don’t have to
automation

I went shopping at Amazon’s till-less supermarket so that you don’t have to

5 Mar 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021