Microsoft launches $20,000 Azure DevOps bug bounty programme

Critical remote code execution flaws are the highest-paid, while denial-of-service attacks earn nothing

Microsoft Azure

Security researchers who discover flaws in Microsoft's Azure DevOps platform could earn themselves up to $20,000, after the company announced its latest bug bounty programme.

The Microsoft Azure DevOps Services Bounty is the company's tenth concurrent bug bounty programme and covers Redmond's suite of cloud-based DevOps tools. Previously known as Visual Studio Team Services, these include continuous integration and continuous delivery (CI/CD) tools, Git repos, kanban boards, testing tools and more.

"Security has always been a passion of mine," said Microsoft's director of engineering for Azure DevOps, Buck Hodges, "and I see this program as a natural complement to our existing security framework. We'll continue to employ careful code reviews and examine the security of our infrastructure. We'll still run our security scanning and monitoring tools. And we'll keep assembling a red team on a regular basis to attack our own systems to identify weaknesses."

Rewards range from $500 all the way up to $20,000 at the top end, with payouts affected by a number of different factors. The quality of the report itself (meaning how easy the report makes it for Microsoft's engineers to understand, reproduce and fix the problem) is graded as either high, medium or low, with different bounties for each.

Advertisement - Article continues below
Advertisement - Article continues below

Different levels of compensation are also awarded based on the severity of the bug, but only 'critical' or 'important' bugs will qualify for a reward - disclosures of any other category of bug will merely earn a public acknowledgement from Microsoft, should the report lead to a fix.

Finally, the impact of the bug itself will be taken into consideration too. Remote code execution flaws are, understandably, the most valuable, followed by privilege escalation and information leaking, while tampering flaws are eligible only for a limited payout, and denial of service vulnerabilities are not rewarded at all.

Bug bounties are becoming an increasingly common security measure among large companies, with the idea being to make it more valuable to responsibly disclose the flaw to the victim than to exploit it for personal gain.

Major organisations like Facebook, Apple, and Google all offer their own bug bounty programmes, and the practice is touted as a good way to ensure that fewer flaws and exploits appear in the wild.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


cloud computing

Microsoft has an edge on AWS, according to IT executives

8 Jan 2020

The IT Pro Products of the Year 2019: All the year’s best hardware

24 Dec 2019
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Microsoft Surface Laptop 3 13in review: Almost the perfect laptop

6 Dec 2019

Most Popular

public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020