Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Microsoft Paid Out Over $374,000 for Azure Sphere Vulnerabilities

Azure Sphere Security Research Challenge results

Azure Sphere Security Research Challenge results

Microsoft on Tuesday shared the results of its three-month-long Azure Sphere Security Research Challenge and the company says it has paid out more than $374,000 to participants.

The Azure Sphere Security Research Challenge, announced in May, invited security researchers to find vulnerabilities in Azure Sphere, Microsoft’s IoT security solution, which the tech giant designed to provide end-to-end security across hardware, operating system and the cloud.

Microsoft said it received a total of 40 vulnerability reports, 30 of which led to improvements and 16 eligible for a bug bounty. The highest reward paid out was $48,000 and the lowest was $3,300.

Microsoft teamed up with several cybersecurity solutions providers for the Azure Sphere bug bounty challenge, including Avira, Baidu, Bitdefender, Bugcrowd, Cisco, ESET, FireEye, F-Secure, HackerOne, K7 Computing, McAfee, Palo Alto Networks and Zscaler. However, it says Cisco and McAfee found some of the most interesting vulnerabilities.

McAfee published a lengthy report detailing its findings and the company said it earned a total of $160,000, which it plans on donating to charity. The company’s researchers managed to gain root access by chaining six bugs, three of which were rated critical. McAfee’s findings also included a previously unknown vulnerability in the Linux kernel.

Cisco Talos has also described the vulnerabilities found by its researchers. They have identified over a dozen issues, including arbitrary code execution, denial-of-service (DoS), information disclosure, and privilege escalation flaws. Talos also disclosed back in August some of the vulnerabilities it found in Azure Sphere.

“This was our first expansion of the Azure Security Lab, an experiment to provide researchers with additional resources to help spark new, high impact research, and develop close collaboration between the security research community and the Microsoft engineering teams through weekly office hours and opportunities for direct collaboration,” said Sylvie Liu, senior security program manager at Microsoft. “We strongly believe that this challenge and upcoming expansions of the Azure Security Lab will help to continue to protect our cloud and Azure Sphere, and we look forward to expanding the resources available to security researchers to support high impact research.”

Microsoft pointed out that bug bounty hunters can continue to report vulnerabilities found in Azure Sphere through the Azure Bounty Program, which offers rewards of up to $40,000.

Related: Microsoft Paid Out Nearly $14 Million via Bug Bounty Programs in Past Year

Related: Microsoft Explains How It Processes Vulnerability Reports

Related: New Security Capabilities Announced for Microsoft 365, Azure

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...