Microsoft launches Azure DevOps bug bounty program

Bounties of up to US$20,000 on offer

Microsoft has launched a new bug bounty program focused on Azure DevOps Services.

The software-maker said that it would pay up to US500-$20,000 for vulnerabilities in the services, or Azure DevOps Server or Team Foundation Server.

“The researcher community plays an essential role in keeping our customers secure, and we will review every submission and recognize your efforts according to our program criteria,” a Microsoft blog entry said.

“If your submission isn’t eligible for bounty but still helps us fix or improve our product, we’ll offer public thanks and recognition for your contribution.”

Microsoft in September announced it had transformed Visual Studio Team Services (VSTS) into Azure DevOps Services.

“Working with our customers and developers around the world, it’s clear DevOps has become increasingly critical to a team’s success,” Microsoft’s director of program management for Azure DevOps, Jamie Cool, wrote at the time.

“Azure DevOps captures over 15 years of investment and learnings in providing tools to support software development teams. In the last month, over 80,000 internal Microsoft users and thousands of our customers, in teams both small and large, used these services to ship products to you.”

At the top end of the scale in the new bug bounty program are critical vulnerabilities that could allow remote code execution; their discovery could net a security researcher US$20,000.

Until the recent announcement, Microsoft’s newest bug bounty program was one focused on identity services. The Microsoft Identity Bounty Program, launched in July 2018, is potentially significantly more lucrative, with up to US$100,000 on offer for reports of vulnerabilities in standards design or bugs that allow multi-factor authentication to be bypassed.