Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Microsoft Paid Out Over $374,000 for Azure Sphere Vulnerabilities

Azure Sphere Security Research Challenge results

Azure Sphere Security Research Challenge results

Microsoft on Tuesday shared the results of its three-month-long Azure Sphere Security Research Challenge and the company says it has paid out more than $374,000 to participants.

The Azure Sphere Security Research Challenge, announced in May, invited security researchers to find vulnerabilities in Azure Sphere, Microsoft’s IoT security solution, which the tech giant designed to provide end-to-end security across hardware, operating system and the cloud.

Microsoft said it received a total of 40 vulnerability reports, 30 of which led to improvements and 16 eligible for a bug bounty. The highest reward paid out was $48,000 and the lowest was $3,300.

Microsoft teamed up with several cybersecurity solutions providers for the Azure Sphere bug bounty challenge, including Avira, Baidu, Bitdefender, Bugcrowd, Cisco, ESET, FireEye, F-Secure, HackerOne, K7 Computing, McAfee, Palo Alto Networks and Zscaler. However, it says Cisco and McAfee found some of the most interesting vulnerabilities.

McAfee published a lengthy report detailing its findings and the company said it earned a total of $160,000, which it plans on donating to charity. The company’s researchers managed to gain root access by chaining six bugs, three of which were rated critical. McAfee’s findings also included a previously unknown vulnerability in the Linux kernel.

Cisco Talos has also described the vulnerabilities found by its researchers. They have identified over a dozen issues, including arbitrary code execution, denial-of-service (DoS), information disclosure, and privilege escalation flaws. Talos also disclosed back in August some of the vulnerabilities it found in Azure Sphere.

“This was our first expansion of the Azure Security Lab, an experiment to provide researchers with additional resources to help spark new, high impact research, and develop close collaboration between the security research community and the Microsoft engineering teams through weekly office hours and opportunities for direct collaboration,” said Sylvie Liu, senior security program manager at Microsoft. “We strongly believe that this challenge and upcoming expansions of the Azure Security Lab will help to continue to protect our cloud and Azure Sphere, and we look forward to expanding the resources available to security researchers to support high impact research.”

Microsoft pointed out that bug bounty hunters can continue to report vulnerabilities found in Azure Sphere through the Azure Bounty Program, which offers rewards of up to $40,000.

Advertisement. Scroll to continue reading.

Related: Microsoft Paid Out Nearly $14 Million via Bug Bounty Programs in Past Year

Related: Microsoft Explains How It Processes Vulnerability Reports

Related: New Security Capabilities Announced for Microsoft 365, Azure

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...