Conference Coverage

Browse Sections
This content is part of the Conference Coverage: RSA Conference 2015 special coverage: News, analysis and video
News Stay informed about the latest enterprise technology news and product updates.

Microsoft looks to boost Azure security with bug bounties

At RSA Conference 2015 Microsoft expanded its bug bounties. The program will now include three new products, including Azure and Hyper-V.

Microsoft Wednesday announced the expansion of its bug bounty program to include its Azure platform as a service as well as other products.

In a session on cloud security breaches at RSA Conference 2015, Mark Russinovich, CTO of Azure, announced the addition of the cloud platform to Microsoft Online Services' bug bounty program. The program, which covers Office 365, offers Azure customers a minimum payment of $500 and up to a maximum of $15,000 for submitted vulnerabilities.

"If you find a vulnerability in Azure, you're now eligible for this bug bounty program," Russinovich said.

The bug bounty program prohibits any denial-of-service attack simulations or automated penetration testing that would generate a significant amount of traffic; it also outlaws any phishing or social engineering attacks as well as obtaining data from other Azure customers. Eligible submissions include cross-site scripting, server-side code execution and privilege escalation.

In an interview with, Russinovich said he expects the Azure bug bounty program to draw a lot of interest. "We've definitely paid out a lot for Office 365, so that'll probably continue here [with Azure]," he said, adding that bug bounties have proven to be a useful resource for other Microsoft products.

Russinovich also announced a Mitigation Bypass Bounty program for Microsoft's Hyper-V virtualization software, which he called a "key part of our security boundary" for Azure. Eligible issues for the mitigation bypass program may include virtual machine escapes and denial-of-service attacks. The program also has higher payouts -- a maximum of $100,000 with a bonus of up to $50,000 for "BlueHat" defense submissions.

"We want to make sure we don't have attackers discovering bugs in Hyper-V before we do," Russinovich said during his presentation.

And lastly, Russinovich also announced that Project Spartan, the code name for Microsoft's new Web browser for Windows 10, has been added to the bug bounty program. Similar to the Azure bug bounties, Project Spartan submissions are eligible for a minimum of $500 and a maximum of $15,000.

Russinovich told audience members that they should expect to see this year a continued rollout of new Azure security features and community efforts such as the bug bounty programs. "You're going to see Azure put in more controls and more services, by default, that are going to make it easier for you to stay secure," Russinovich said. "We also believe in trying to engage the community to try and stay secure."

Next Steps

Find out why Adobe no longer pays out cash through its bug bounty program

Dig Deeper on Cloud Security Services: Cloud-Based Vulnerability Scanning and Antivirus

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Do you think the bug bounties program will make any difference for Azure's security?
I think bug bounties can find lots of bugs, but from what I’ve seen they are mostly superficial, happy path bugs that a typical test cycle would have found anyway. I’ve seen several bug bounty programs conducted by popular crowdsourcing platforms. Unfortunately, the vast majority of those participating are largely unskilled in the nuances of software testing. When you combine this with the pay-by-the-bug model, what results are a few of the more severe bugs, but most of those involved report numerous bugs that are near trivial just to make the easy money, creating a lot of noise. So, based on my experience, I don’t think that it will make much of a difference.
The way I see it, it is great that companies like Microsoft are actively creating an option who to sell information about security bugs to, with bug bounties programs. It seems that in general with product companies, the experience still is that there are black-market buyers, whereas if you contact the company, you’re treated with dismissal. Rewarding and thus changing the market of this information to make it tempting for skilled security professionals to work on identifying security flaws is great. The financial reward is one, but the fame is another - and the bounty programs work on both. I rather would see that than a recent example: telling of a security flaw ended up in a police visit, rather than a thank you or a reward. It needs to be easy to do the right thing.
I think one good thing that could come from this is to get people that use these tools to report bugs that they run across. I think that, a lot of the time, teams may encounter a bug when they are using the system, but they find a work-around and keep moving without submitting a bug report. I think that a bug bounty may motivate some of these issues to be submitted rather than simply bypassed.