Microsoft launches Azure Security Lab, expands bug bounty rewards

Microsoft is pushing for enhanced security for the Azure cloud computing service with the launch of a new lab and increased bug bounty rewards.

At the Black Hat USA conference in Las Vegas, Nevada on Monday, Microsoft said the new Azure Security Lab, a set of dedicated cloud hosts, will be made available to security professionals invited by the Redmond giant to "confidently and aggressively test Azure."

The lab is isolated from the main Azure framework to prevent hacking attempts and tests from disrupting normal functionality. Microsoft's internal security team will be on hand to work with researchers on any findings.  

Microsoft says that participants should "come and do their worst."

"The isolation of the Azure Security Lab allows us offer something new: researchers can not only research vulnerabilities in Azure, they can attempt to exploit them," the tech giant says. "Accepted applicants will have access to quarterly campaigns for targeted scenarios with added incentives, as well as regular recognition and exclusive swag."

See also: Bug bounty drives VLC's biggest patch but attracts 'a-holes, scriptkiddies, scammers'

Financial rewards of up to $300,000 are available for Azure security challenges offered by Microsoft and applications to join the program are now open. 

Microsoft also announced changes to the traditional Azure bug bounty program. The company has awarded over $4.4 million in bug bounty rewards over the past 12 months -- a jump from $2 million in 2018 -- and now, security researchers can earn up to $40,000 for severe Azure vulnerability reports. 

CNET: There's a privacy explanation for why Apple doesn't let you delete Siri recordings

Bug bounties are a valuable way for companies, no matter the size, to draw in external help in squashing bugs which could place corporate assets, as well as users and their data, at risk. 

Cloud Bounty payouts were originally capped at $20,000, and alongside the doubled payout for Azure, Microsoft also offers top rewards for bounties in the Microsoft Mitigation Bypass Bounty and Bounty for Defense Programs, where researchers can expect up to $100,000 for mitigation bypass reports, among other severe vulnerabilities.

TechRepublic: How to build a vulnerability response plan: 6 tips

Furthermore, the tech giant has now formalized its position and acceptance of Safe Harbor principles, in which researchers can identify and report vulnerabilities and security issues without fear of legal repercussions. 

Google, too, has recently boosted its bug bounty offerings, with "high quality" reports now increased from $15,000 to $30,000. Baseline rewards are now worth $15,000 in Chrome for discoveries including sandbox escapes and memory corruption flaws.  

North Korea's history of bold cyber attacks

Previous and related coverage

• Microsoft: Our bug bounty payouts hit $2m in 2018 and we're offering more in 2019
  
• HackerOne's top 20 public bug bounty programs
  
• EU to fund bug bounty programs for 14 open source projects starting January 2019
  

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0