Microsoft added a new bug bounty program that pays hackers to find security flaws in its software. This latest move targets Azure DevOps, Microsoft’s cloud platform for collaborating on code development. The program will pay between $500 and $20,000 for found eligible vulnerabilities in Azure DevOps online services and the latest release of Azure DevOps server.
This eligibility requirement means submissions have to identify a previously unreported vulnerability in Azure DevOps online services or products, and they must include steps that Microsoft engineers can take to reproduce and fix the flaw.
The $20,000 bug bounties will go to researchers who uncover critical remote code execution (RCE) vulnerabilities. Microsoft will also pay rewards for submissions related to elevation of privilege, information disclosure, spoofing, and tampering.
“If your submission isn’t eligible for bounty but still helps us fix or improve our product, we’ll offer public thanks and recognition for your contribution,” wrote Jarek Stanley, senior program manager at Microsoft Security Response Center, in a blog post.
This isn’t Microsoft’s first bounty program. Its largest reward offers up to $250,000 for finding critical flaws in its Hyper-V hypervisor. And its other bug bounties pay between $15,000 and $100,000 for disclosing vulnerabilities in Microsoft cloud services and Windows.
Other Bug Bounty Awards
For comparison, Google and Apple pay up to $200,000 per bounty. Google’s most recent vulnerability reward program yearly report said it awarded $2.9 million in 2017, bringing its total bug bounty payout after seven years to about $12 million.
Last year, following the Spectre and Meltdown security flaws, Intel revamped its bug bounty, opening up the previously invite-only program to the public and paying up to $250,000 per valid vulnerability.
It looks like the trend is for companies to continue to increase their reward amounts as the risks — and costs — related to not finding such flaws grows. Bug bounties jumped 33 percent year over year, with $11.7 million awarded in 2017, according to the Hacker-Powered Security Report 2018.
The 2018 Bugcrowd State of Bug Bounty Report also reported a surge in the number and severity of vulnerabilities — and payouts to hackers. The total number of vulnerabilities submitted via the company’s Crowdcontrol platform surpassed 37,000 submissions between April 1, 2017, and March 31, 2018. That represents a 21 percent increase from the prior year. The Bugcrowd report also found a 100 percent increase in the average payout across all programs and industries.