Microsoft has launched the Azure Sphere Research Challenge, offering approved security researchers individual rewards of up to $100,000 for dangerous exploits that break the security of Azure Sphere, its Linux-based platform for internet-connected (IoT) devices.
Azure Sphere consists of a custom Linux kernel and OS, a connected microcontroller, and a cloud-based security service that ensures IoT devices like fridges and washing machines can be updated and maintained remotely with protections against denial-of-service attacks and rogue software updates.
The duration of the new challenge is three months and offers the top reward of $100,000 to researchers who can execute code on Azure Pluton and Azure Secure World.
The Azure Sphere application platform features Normal World, the Linux equivalent of user mode, and Secure World, which sits below Microsoft's custom Linux kernel and is where the Security Monitor runs. Only Microsoft-supplied code can run in supervisor mode or in Secure World, Microsoft notes.
Security bugs found outside the challenge's scope, such as in the cloud portion of the Azure Sphere platform, could be granted awards under the public Azure Bounty Program. Physical attacks are out of the scope of both the challenge and the Azure Bounty Program.
Microsoft will supply approved researchers an Azure Sphere development kit, access to Microsoft products and services for research purposes, Azure Sphere product documentation, and direct communication channels with the Microsoft team.
"By expanding the Azure Security Lab, we're providing more content and resources to better arm security researchers with the tools needed to research high-impact vulnerabilities in the cloud," Microsoft notes.
Microsoft is also tapping skills at several security firms with expertise in IoT security research, including Avira, Baidu International Technology, Bitdefender, Bugcrowd, Cisco's Talos team, ESET, FireEye, F-Secure Corporation, HackerOne, K7 Computing, McAfee, Palo Alto Networks, and Zscaler.