Microsoft looks to boost Azure security with bug bounties

At RSA Conference 2015 Microsoft expanded its bug bounties. The program will now include three new products, including Azure and Hyper-V.

Microsoft Wednesday announced the expansion of its bug bounty program to include its Azure platform as a service as well as other products.

In a session on cloud security breaches at RSA Conference 2015, Mark Russinovich, CTO of Azure, announced the addition of the cloud platform to Microsoft Online Services' bug bounty program. The program, which covers Office 365, offers Azure customers a minimum payment of $500 and up to a maximum of $15,000 for submitted vulnerabilities.

"If you find a vulnerability in Azure, you're now eligible for this bug bounty program," Russinovich said.

The bug bounty program prohibits any denial-of-service attack simulations or automated penetration testing that would generate a significant amount of traffic; it also outlaws any phishing or social engineering attacks as well as obtaining data from other Azure customers. Eligible submissions include cross-site scripting, server-side code execution and privilege escalation.

In an interview with, Russinovich said he expects the Azure bug bounty program to draw a lot of interest. "We've definitely paid out a lot for Office 365, so that'll probably continue here [with Azure]," he said, adding that bug bounties have proven to be a useful resource for other Microsoft products.

Russinovich also announced a Mitigation Bypass Bounty program for Microsoft's Hyper-V virtualization software, which he called a "key part of our security boundary" for Azure. Eligible issues for the mitigation bypass program may include virtual machine escapes and denial-of-service attacks. The program also has higher payouts -- a maximum of $100,000 with a bonus of up to $50,000 for "BlueHat" defense submissions.

"We want to make sure we don't have attackers discovering bugs in Hyper-V before we do," Russinovich said during his presentation.

And lastly, Russinovich also announced that Project Spartan, the code name for Microsoft's new Web browser for Windows 10, has been added to the bug bounty program. Similar to the Azure bug bounties, Project Spartan submissions are eligible for a minimum of $500 and a maximum of $15,000.

Russinovich told audience members that they should expect to see this year a continued rollout of new Azure security features and community efforts such as the bug bounty programs. "You're going to see Azure put in more controls and more services, by default, that are going to make it easier for you to stay secure," Russinovich said. "We also believe in trying to engage the community to try and stay secure."

Next Steps

Find out why Adobe no longer pays out cash through its bug bounty program

Dig Deeper on Cloud Security Services: Cloud-Based Vulnerability Scanning and Antivirus