Microsoft has launched a new bug bounty program for the Azure DevOps cloud service with rewards of up to $20,000 on offer for interested researchers.
On Thursday, Microsoft revealed the bug bounty scheme is now open for researchers willing to help improve the security of Azure DevOps, a cloud-based platform used for code development collaboration purposes.
According to Jarek Stanley, Microsoft Security Response Center (MSRC) Senior Program Manager, the new program is "dedicated to providing rock-solid security for our DevOps customers."
Bug bounty awards range from $500 to $20,000. The most serious bugs resulting in remote code execution (RCE) are eligible for the maximum award but depending on severity -- ranked as "high," "medium," and "low" -- payouts are pegged at $10,000, $15,000, or $20,000.
In addition to RCE vulnerabilities, Microsoft is also awarding researchers for bug reports relating to privilege escalation, information disclosure, spoofing, and system tampering.
Cross-site scripting (XSS) flaws, cross-site request forgery (CSRF), cross-tenant data tampering and access, insecure direct object references, insecure deserialization, injection bugs, server-side code execution, and any "significant" security misconfigurations unearthed by bug bounty hunters are all acceptable under the terms of the program,
However, denial-of-service bugs have been deemed out of scope and will not be rewarded.
The full payout list is below:
Researchers must provide a write-up or video documenting their findings, a description of the vulnerability, and proof-of-concept (PoC) code which will permit engineers to replicate the bug and potential attacks.
Microsoft is not the only major tech vendor choosing to expand their bug bounty programs. In February last year, Intel opened up its program to the public and dangled rewards of up to $250,000 for high-severity flaws with side channel vulnerabilities of particular interest.
The European Union has also recently become involved in the bug bounty industry by promising to fund bug bounty programs for open-source projects including KeePass, 7-zip, VLC Media Player, Drupal, and FileZilla.
These are the worst hacks, cyberattacks, and data breaches of 2018