Microsoft dangles USD$300k in updated Azure cloud bug bounty

Credit: ID 120628291 © Ibrandify | Dreamstime.com

Microsoft has announced the Azure Security Lab with a special prize of USD$300,000 and has issued a warning over new attacks by the allegedly Kremlin-backed hacking group behind the VPNFilter router malware.   

Microsoft unveiled Azure Security Lab at the Black Hat USA conference in Las Vegas on Monday, where it also told security researchers it was doubling the top bounty for Azure bugs to $40,000. But the program, which is open to eligible applicants only, also offers hackers “scenario-based challenges” that max out at $300,000.   

The Azure Security Lab invites researchers to “do their worst” to emulate real-real-world attackers in a part of its cloud infrastructure that’s cordoned off from customers. 

Hackers will need to apply if they want to participate and they’ll gain access to quarterly campaigns for targeted scenarios.

According to Microsoft, the space “is a dedicated part of Azure reserved for security researchers to explore and exploit vulnerabilities in ways that wouldn’t be practical on the standard cloud”, so long as the bugs are reported to Microsoft. 

Researchers will have the option to test their attacks on Windows Server 2019 and Ubuntu Linux virtual machines (VMs). 

There are two scenarios Microsoft has opened that offer researchers the chance to earn above the normal $40,000 limit. These include the very difficult VM escape, effectively on par with the Meltdown and Spectre flaws that affected most modern CPUs, and a denial of service (DoS) attack on a Azure host. 

To get a $300,000 reward, a researcher would need to “demonstrate a functional exploit enabling an escape from a guest VM to the host or to another guest VM”. 

The scenario-based rewards exceed Microsoft's top bounty of $200,000 for mitigation bypasses plus a remedy for one. But it's also a smaller than the $500,000 top price that exploit broker Zerodium put on the same VM exploits for Microsoft Hyper-V and VMware technology earlier this year.

Meanwhile, a successful DoS attack on an Azure host could net an attacker $50,000.

The newly doubled top prize in the standard Azure bounty is for a critical-rated flaw accompanied by a high quality report. 

Microsoft has now also offered up a document detailing its commitment to legal Safe Harbor for hackers who may stray on the wrong side of the law while researching bugs that are disclosed to Microsoft. Formalizing its stance on researchers who report bugs brings it in line with Microsoft-owned GitHub, which offered the legal guarantee to researchers earlier this year.        

Microsoft states: “To encourage research and responsible disclosure of security vulnerabilities, we will not pursue civil or criminal action, or send notice to law enforcement for accidental or good faith violations of Microsoft Bug Terms and Conditions ("the policy"). We consider security research and vulnerability disclosure activities conducted consistent with this policy to be “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as WA Criminal Code 9A.90. We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in our bug bounty programs’ scope."

The company also claims to have “issued $4.4 million dollars in bounty rewards over the past 12 months”, potentially making Microsoft's bug bounty payouts bigger than Google, which in February said it had shelled out $3.4 million in in 2018.

Tags open sourceMicrosoftLinuxubuntudebianAzure cloud

Show Comments