Microsoft launches $20,000 Azure DevOps bug bounty programme

Critical remote code execution flaws are the highest-paid, while denial-of-service attacks earn nothing

Microsoft Azure

Security researchers who discover flaws in Microsoft's Azure DevOps platform could earn themselves up to $20,000, after the company announced its latest bug bounty programme.

The Microsoft Azure DevOps Services Bounty is the company's tenth concurrent bug bounty programme and covers Redmond's suite of cloud-based DevOps tools. Previously known as Visual Studio Team Services, these include continuous integration and continuous delivery (CI/CD) tools, Git repos, kanban boards, testing tools and more.

"Security has always been a passion of mine," said Microsoft's director of engineering for Azure DevOps, Buck Hodges, "and I see this program as a natural complement to our existing security framework. We'll continue to employ careful code reviews and examine the security of our infrastructure. We'll still run our security scanning and monitoring tools. And we'll keep assembling a red team on a regular basis to attack our own systems to identify weaknesses."

Advertisement - Article continues below

Rewards range from $500 all the way up to $20,000 at the top end, with payouts affected by a number of different factors. The quality of the report itself (meaning how easy the report makes it for Microsoft's engineers to understand, reproduce and fix the problem) is graded as either high, medium or low, with different bounties for each.

Advertisement - Article continues below

Different levels of compensation are also awarded based on the severity of the bug, but only 'critical' or 'important' bugs will qualify for a reward - disclosures of any other category of bug will merely earn a public acknowledgement from Microsoft, should the report lead to a fix.

Finally, the impact of the bug itself will be taken into consideration too. Remote code execution flaws are, understandably, the most valuable, followed by privilege escalation and information leaking, while tampering flaws are eligible only for a limited payout, and denial of service vulnerabilities are not rewarded at all.

Advertisement - Article continues below

Bug bounties are becoming an increasingly common security measure among large companies, with the idea being to make it more valuable to responsibly disclose the flaw to the victim than to exploit it for personal gain.

Major organisations like Facebook, Apple, and Google all offer their own bug bounty programmes, and the practice is touted as a good way to ensure that fewer flaws and exploits appear in the wild.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now


web browser

Don't like Chromium Edge? Here's how to revive the old Edge

7 Jul 2020

Microsoft Azure Digital Twins previews new features

30 Jun 2020

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020

Most Popular

Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020

How to find RAM speed, size and type

24 Jun 2020
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020