Microsoft launches Azure Security Lab, expands bug bounty rewards

Researchers can earn up to $40,000 for reporting Azure vulnerabilities.

Singapore to offer bug bounty and set up Asean cybersecurity centre Singapore government will launch a bug bounty initiative by end-2018, when local and international hackers will be invited to test systems for vulnerabilities, as well as a cybersecurity hub next year to facilitate collaboration and training efforts amongst Asean country members.

Microsoft is pushing for enhanced security for the Azure cloud computing service with the launch of a new lab and increased bug bounty rewards.

At the Black Hat USA conference in Las Vegas, Nevada on Monday, Microsoft said the new Azure Security Lab, a set of dedicated cloud hosts, will be made available to security professionals invited by the Redmond giant to "confidently and aggressively test Azure."

The lab is isolated from the main Azure framework to prevent hacking attempts and tests from disrupting normal functionality. Microsoft's internal security team will be on hand to work with researchers on any findings.  

Microsoft says that participants should "come and do their worst."

"The isolation of the Azure Security Lab allows us offer something new: researchers can not only research vulnerabilities in Azure, they can attempt to exploit them," the tech giant says. "Accepted applicants will have access to quarterly campaigns for targeted scenarios with added incentives, as well as regular recognition and exclusive swag."

See also: Bug bounty drives VLC's biggest patch but attracts 'a-holes, scriptkiddies, scammers'

Financial rewards of up to $300,000 are available for Azure security challenges offered by Microsoft and applications to join the program are now open. 

Microsoft also announced changes to the traditional Azure bug bounty program. The company has awarded over $4.4 million in bug bounty rewards over the past 12 months -- a jump from $2 million in 2018 -- and now, security researchers can earn up to $40,000 for severe Azure vulnerability reports. 

CNET: There's a privacy explanation for why Apple doesn't let you delete Siri recordings

Bug bounties are a valuable way for companies, no matter the size, to draw in external help in squashing bugs which could place corporate assets, as well as users and their data, at risk. 

Cloud Bounty payouts were originally capped at $20,000, and alongside the doubled payout for Azure, Microsoft also offers top rewards for bounties in the Microsoft Mitigation Bypass Bounty and Bounty for Defense Programs, where researchers can expect up to $100,000 for mitigation bypass reports, among other severe vulnerabilities.

TechRepublic: How to build a vulnerability response plan: 6 tips

Furthermore, the tech giant has now formalized its position and acceptance of Safe Harbor principles, in which researchers can identify and report vulnerabilities and security issues without fear of legal repercussions. 

Google, too, has recently boosted its bug bounty offerings, with "high quality" reports now increased from $15,000 to $30,000. Baseline rewards are now worth $15,000 in Chrome for discoveries including sandbox escapes and memory corruption flaws.  

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0