Cloud Security

Microsoft Offers Up to $300,000 in New Azure Security Lab

Microsoft makes changes to Azure bug bounty program

August 6, 2019

Microsoft makes changes to Azure bug bounty program

Microsoft announced this week at the Black Hat conference in Las Vegas that the top reward for vulnerabilities discovered in its Azure cloud services has been doubled, and a new security testing environment gives researchers the chance to conduct more aggressive tests and earn significant rewards.

Microsoft told white hat hackers that they can now earn between $500 and $40,000 for Azure vulnerabilities.

The company also announced the launch of the Azure Security Lab, a dedicated testing environment set up to allow researchers to “come and do their worst to emulate criminal hackers.”

Bug bounty programs typically prohibit participants from exploiting the vulnerabilities they find — the full extent of the impact is assessed by the vendor as the tests conducted by researchers could result in serious damage.

In the case of the Azure Security Lab, the environment is powered by a set of dedicated cloud hosts isolated from the ones used by customers. This allows hackers to actually exploit the vulnerabilities they find.

The Azure Security Lab also includes scenario-based challenges that give participants the chance to earn $300,000.

A vulnerability that allows a guest-to-host or guest-to-guest escape can be worth up to $300,000, and so is a privilege escalation flaw that allows an attacker to obtain admin access to a Secure Lab subscription. A denial-of-service (DoS) on the Azure host can be worth up to $50,000.

Microsoft says a “select group of talented individuals” will be given access to the new testing environment. Interested researchers can make a request to join the Azure Security Lab using a dedicated form.

Advertisement. Scroll to continue reading.

Microsoft has also announced that it has formalized its Safe Harbor principles, which assure researchers that they will not face any legal consequences if they responsibly disclose vulnerabilities.

The tech giant says it has paid out $4.4 million in bug bounties over the past 12 months.

Written By Eduard Kovacs

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Latest News

Click to comment

CIEM Chat: How to Reduce Cloud Identity Risk

March 26, 2024

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Virtual Event: Ransomware Resilience & Recovery Summit

April 17, 2024

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Navigating Vendor Speak: A Security Practitioner’s Guide to Seeing Through the Jargon

As a security industry, we need to focus our energies on those professionals among us who know how to walk the walk. (Joshua Goldfarb)

SD-WAN: Don’t Build a Dead End, Prepare for Future-Proof Secure Networking

SD-WAN must be scalable, stable, secure, and fully operational to serve as a strong base for seamless modernization and progression to SASE. (Etay Maor)

You Against the World: The Offenders Dilemma

Foreign attackers have many more toolsets at their disposal, so we need to make sure we’re selective about our modeling, preparation and how we assess and fortify ourselves. (Tom Eston)

Why Intelligence Sharing Is Vital to Building a Robust Collective Cyber Defense Program

With automated, detailed, contextualized threat intelligence, organizations can better anticipate malicious activity and utilize intelligence to speed detection around proven attacks. (Marc Solomon)

Know Your Audience When Speaking to Security Practitioners

How can security practitioners make sense of the vendor landscape and separate those who talk a good game from those who can execute, perform, and solve real problems for enterprises? (Joshua Goldfarb)

Vulnerabilities

Full Disclosure List Gets a Fresh Start – Reborn Under New Operator

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

SecurityWeek NewsMarch 26, 2014

Application Security

Source Code Security Firm Cycode Launches With $4.6 Million in Funding

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Eduard KovacsSeptember 24, 2019

Topics for 2023 Cybersecurity Insights Series

CISO Strategy

SecurityWeek Cyber Insights 2023 Series

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Kevin TownsendFebruary 13, 2023

Incident Response

Amazon’s Shuttering of Alexa Ranking Service Hits Cybersecurity Industry

Amazon has shut down Alexa.com.

Eduard KovacsMay 6, 2022

Data Breaches

ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Eduard KovacsMarch 28, 2023

CISO Conversations

CISO Conversations: HP and Dell CISOs Discuss the Role of the Multi-National Security Chief

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Kevin TownsendMay 10, 2023

IoT Security

16 Car Makers and Their Vehicles Hacked via Telematics, APIs, Infrastructure

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Ionut ArghireJanuary 5, 2023