Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Microsoft Paid Out Over $374,000 for Azure Sphere Vulnerabilities

Azure Sphere Security Research Challenge results

Azure Sphere Security Research Challenge results

Microsoft on Tuesday shared the results of its three-month-long Azure Sphere Security Research Challenge and the company says it has paid out more than $374,000 to participants.

The Azure Sphere Security Research Challenge, announced in May, invited security researchers to find vulnerabilities in Azure Sphere, Microsoft’s IoT security solution, which the tech giant designed to provide end-to-end security across hardware, operating system and the cloud.

Microsoft said it received a total of 40 vulnerability reports, 30 of which led to improvements and 16 eligible for a bug bounty. The highest reward paid out was $48,000 and the lowest was $3,300.

Microsoft teamed up with several cybersecurity solutions providers for the Azure Sphere bug bounty challenge, including Avira, Baidu, Bitdefender, Bugcrowd, Cisco, ESET, FireEye, F-Secure, HackerOne, K7 Computing, McAfee, Palo Alto Networks and Zscaler. However, it says Cisco and McAfee found some of the most interesting vulnerabilities.

McAfee published a lengthy report detailing its findings and the company said it earned a total of $160,000, which it plans on donating to charity. The company’s researchers managed to gain root access by chaining six bugs, three of which were rated critical. McAfee’s findings also included a previously unknown vulnerability in the Linux kernel.

Cisco Talos has also described the vulnerabilities found by its researchers. They have identified over a dozen issues, including arbitrary code execution, denial-of-service (DoS), information disclosure, and privilege escalation flaws. Talos also disclosed back in August some of the vulnerabilities it found in Azure Sphere.

“This was our first expansion of the Azure Security Lab, an experiment to provide researchers with additional resources to help spark new, high impact research, and develop close collaboration between the security research community and the Microsoft engineering teams through weekly office hours and opportunities for direct collaboration,” said Sylvie Liu, senior security program manager at Microsoft. “We strongly believe that this challenge and upcoming expansions of the Azure Security Lab will help to continue to protect our cloud and Azure Sphere, and we look forward to expanding the resources available to security researchers to support high impact research.”

Microsoft pointed out that bug bounty hunters can continue to report vulnerabilities found in Azure Sphere through the Azure Bounty Program, which offers rewards of up to $40,000.

Advertisement. Scroll to continue reading.

Related: Microsoft Paid Out Nearly $14 Million via Bug Bounty Programs in Past Year

Related: Microsoft Explains How It Processes Vulnerability Reports

Related: New Security Capabilities Announced for Microsoft 365, Azure

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Coro, a provider of cybersecurity solutions for SMBs, has appointed Joe Sykora as CEO.

SonicWall has hired Rajnish Mishra as Senior Vice President and Chief Development Officer.

Kenna Security co-founder Ed Bellis has joined Empirical Security as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.