Microsoft Launches Azure DevOps Bug Bounty Program
Microsoft of Thursday announced the launch of a new bug bounty program targeting Azure DevOps, a cloud service that allows users to collaborate on code development.
The tech giant is prepared to offer between $500 and $20,000 for vulnerabilities found in DevOps online services and the latest versions of DevOps Server and Team Foundation Server.
Bug bounty hunters have been invited to submit their findings to secure(at)microsoft.com. Eligible vulnerabilities include cross-site scripting (XSS), cross-site request forgery (CSRF), cross-tenant data tampering or access, insecure direct object reference, injections, server-side code execution, deserialization bugs, security misconfigurations not caused by the user, and the use of components with known vulnerabilities.
The highest rewards have been offered for critical remote code execution vulnerabilities that are disclosed via a high-quality report. Privilege escalation flaws can earn researchers between $1,000 and $8,000 depending on their severity and the quality of the report. Information disclosure weaknesses are also worth up to $8,000.
“The researcher community plays an essential role in keeping our customers secure, and we will review every submission and recognize your efforts according to our program criteria. If your submission isn’t eligible for bounty but still helps us fix or improve our product, we’ll offer public thanks and recognition for your contribution,” Microsoft said.
Microsoft currently runs nine other bug bounty programs. The highest rewards have been offered for vulnerabilities in Hyper-V (up to $250,000), Microsoft Identity (up to $100,000), and bypasses for anti-exploitation techniques in Windows (up to $100,000).