Microsoft launches $20,000 Azure DevOps bug bounty programme

Critical remote code execution flaws are the highest-paid, while denial-of-service attacks earn nothing

Microsoft Azure

Security researchers who discover flaws in Microsoft's Azure DevOps platform could earn themselves up to $20,000, after the company announced its latest bug bounty programme.

The Microsoft Azure DevOps Services Bounty is the company's tenth concurrent bug bounty programme and covers Redmond's suite of cloud-based DevOps tools. Previously known as Visual Studio Team Services, these include continuous integration and continuous delivery (CI/CD) tools, Git repos, kanban boards, testing tools and more.

"Security has always been a passion of mine," said Microsoft's director of engineering for Azure DevOps, Buck Hodges, "and I see this program as a natural complement to our existing security framework. We'll continue to employ careful code reviews and examine the security of our infrastructure. We'll still run our security scanning and monitoring tools. And we'll keep assembling a red team on a regular basis to attack our own systems to identify weaknesses."

Rewards range from $500 all the way up to $20,000 at the top end, with payouts affected by a number of different factors. The quality of the report itself (meaning how easy the report makes it for Microsoft's engineers to understand, reproduce and fix the problem) is graded as either high, medium or low, with different bounties for each.

Different levels of compensation are also awarded based on the severity of the bug, but only 'critical' or 'important' bugs will qualify for a reward - disclosures of any other category of bug will merely earn a public acknowledgement from Microsoft, should the report lead to a fix.

Finally, the impact of the bug itself will be taken into consideration too. Remote code execution flaws are, understandably, the most valuable, followed by privilege escalation and information leaking, while tampering flaws are eligible only for a limited payout, and denial of service vulnerabilities are not rewarded at all.

Bug bounties are becoming an increasingly common security measure among large companies, with the idea being to make it more valuable to responsibly disclose the flaw to the victim than to exploit it for personal gain.

Major organisations like Facebook, Apple, and Google all offer their own bug bounty programmes, and the practice is touted as a good way to ensure that fewer flaws and exploits appear in the wild.

Featured Resources

How to choose an AI vendor

Five key things to look for in an AI vendor

Download now

The UK 2020 Databerg report

Cloud adoption trends in the UK and recommendations for cloud migration

Download now

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

Download now

The impact of AWS in the UK

How AWS is powering Britain's fastest-growing companies

Download now

Recommended

Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
Microsoft reveals plans for massive cloud expansion in China
data centres

Microsoft reveals plans for massive cloud expansion in China

18 Jun 2021
Ransomware criminals look to other hackers to provide them with network access
ransomware

Ransomware criminals look to other hackers to provide them with network access

17 Jun 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

16 Jun 2021
Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021
What is HTTP error 400 and how do you fix it?
Network & Internet

What is HTTP error 400 and how do you fix it?

16 Jun 2021