Microsoft launches Azure DevOps bug bounty program, $20,000 rewards on offer

The Redmond giant is keenly interested in remote code execution and privilege escalation flaws.
Written by Charlie Osborne, Contributing Writer

Microsoft has launched a new bug bounty program for the Azure DevOps cloud service with rewards of up to $20,000 on offer for interested researchers.  

On Thursday, Microsoft revealed the bug bounty scheme is now open for researchers willing to help improve the security of Azure DevOps, a cloud-based platform used for code development collaboration purposes.

Azure DevOps is used by developers worldwide to work on code-related projects and includes test pipelines, private Git repo access, package and artifact creation, and testing tools.

See also: Windows 10 19H1: Microsoft pushes its services with 'Make Windows even better' prompt

According to Jarek Stanley, Microsoft Security Response Center (MSRC) Senior Program Manager, the new program is "dedicated to providing rock-solid security for our DevOps customers."

Bug bounty awards range from $500 to $20,000. The most serious bugs resulting in remote code execution (RCE) are eligible for the maximum award but depending on severity -- ranked as "high," "medium," and "low" -- payouts are pegged at $10,000, $15,000, or $20,000.

In addition to RCE vulnerabilities, Microsoft is also awarding researchers for bug reports relating to privilege escalation, information disclosure, spoofing, and system tampering.

CNET: Apple's Tim Cook calls for new regulations to protect your personal data

Cross-site scripting (XSS) flaws, cross-site request forgery (CSRF), cross-tenant data tampering and access, insecure direct object references, insecure deserialization, injection bugs, server-side code execution, and any "significant" security misconfigurations unearthed by bug bounty hunters are all acceptable under the terms of the program,

However, denial-of-service bugs have been deemed out of scope and will not be rewarded.

The full payout list is below:


Researchers must provide a write-up or video documenting their findings, a description of the vulnerability, and proof-of-concept (PoC) code which will permit engineers to replicate the bug and potential attacks.

Microsoft is not the only major tech vendor choosing to expand their bug bounty programs. In February last year, Intel opened up its program to the public and dangled rewards of up to $250,000 for high-severity flaws with side channel vulnerabilities of particular interest.

TechRepublic: How to connect to VNC using SSH

Google then chose to expand its bug bounty program in August to include external attack techniques and vectors which threat actors could exploit to bypass abuse and fraud protection systems.

Facebook now awards up to $40,000 for account takeover vulnerabilities and will also reward hunters for reports of user token exposure problems.

The European Union has also recently become involved in the bug bounty industry by promising to fund bug bounty programs for open-source projects including KeePass, 7-zip, VLC Media Player, Drupal, and FileZilla. 

These are the worst hacks, cyberattacks, and data breaches of 2018

Previous and related coverage

Editorial standards