Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

Microsoft Paid Out Over $374,000 for Azure Sphere Vulnerabilities

Azure Sphere Security Research Challenge results

Azure Sphere Security Research Challenge results

Microsoft on Tuesday shared the results of its three-month-long Azure Sphere Security Research Challenge and the company says it has paid out more than $374,000 to participants.

The Azure Sphere Security Research Challenge, announced in May, invited security researchers to find vulnerabilities in Azure Sphere, Microsoft’s IoT security solution, which the tech giant designed to provide end-to-end security across hardware, operating system and the cloud.

Microsoft said it received a total of 40 vulnerability reports, 30 of which led to improvements and 16 eligible for a bug bounty. The highest reward paid out was $48,000 and the lowest was $3,300.

Microsoft teamed up with several cybersecurity solutions providers for the Azure Sphere bug bounty challenge, including Avira, Baidu, Bitdefender, Bugcrowd, Cisco, ESET, FireEye, F-Secure, HackerOne, K7 Computing, McAfee, Palo Alto Networks and Zscaler. However, it says Cisco and McAfee found some of the most interesting vulnerabilities.

McAfee published a lengthy report detailing its findings and the company said it earned a total of $160,000, which it plans on donating to charity. The company’s researchers managed to gain root access by chaining six bugs, three of which were rated critical. McAfee’s findings also included a previously unknown vulnerability in the Linux kernel.

Cisco Talos has also described the vulnerabilities found by its researchers. They have identified over a dozen issues, including arbitrary code execution, denial-of-service (DoS), information disclosure, and privilege escalation flaws. Talos also disclosed back in August some of the vulnerabilities it found in Azure Sphere.

“This was our first expansion of the Azure Security Lab, an experiment to provide researchers with additional resources to help spark new, high impact research, and develop close collaboration between the security research community and the Microsoft engineering teams through weekly office hours and opportunities for direct collaboration,” said Sylvie Liu, senior security program manager at Microsoft. “We strongly believe that this challenge and upcoming expansions of the Azure Security Lab will help to continue to protect our cloud and Azure Sphere, and we look forward to expanding the resources available to security researchers to support high impact research.”

Microsoft pointed out that bug bounty hunters can continue to report vulnerabilities found in Azure Sphere through the Azure Bounty Program, which offers rewards of up to $40,000.

Related: Microsoft Paid Out Nearly $14 Million via Bug Bounty Programs in Past Year

Related: Microsoft Explains How It Processes Vulnerability Reports

Related: New Security Capabilities Announced for Microsoft 365, Azure

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.