Microsoft has so many new things lined up for release this season with likes of Windows 10 and Project Spartan entering PC and mobile devices market very soon. In regards to this, it was announced earlier yesterday that Microsoft will be expanding its Microsoft Bounty Programs with the inclusion of Azure, Windows 10 and Project Spartan. Microsoft has a long history of working closely with security researchers. Microsoft is taking steps to maintain high level of security to the cloud services by evolving its Online Services Bug Bounty, launching a new bounty for Project Spartan, and updating the Mitigation Bypass Bounty.
Project Spartan, which is expected to be the successor for Internet Explorer in Windows 10, has gained its own bug bounty program. This new expansion also included Azure, which is Microsoft’s cloud platform and the backbone of Microsoft cloud services. The new program will also include Azure virtual machines, Azure Cloud Services, Azure Storage, Azure Active Directory, and so on. Microsoft also showed its commitment towards Sway.com, which is a web application that lets users express ideas in an entirely new way across many devices and platforms by including this technology in its Bounty Program expansion. Microsoft has also increased the maximum payout for the Online Services Bug Bounty Program. The company will now pay up to $15,000 USD for critical bugs — more impact and better documented bugs will get you the most money.
With the addition of Azure to the Microsoft Online Services Bug Bounty Program, customers now have the ability to perform targeted security vulnerability assessments of the Azure platform itself. If issues are identified that meet the eligibility requirements, the finder can be rewarded for their work that helps makes Azure a more secure platform for all.
-David Cross, Azure security engineering director
Jason Shirk from MSRC Team said in his blog that the new bounty related to the Windows 10 Technical Preview also was announced that is expected to be considered in expansion program:
• Project Spartan Bug Bounty
• Microsoft’s new browser will be the on ramp to the Internet for millions of users when Windows 10 launches later this year. Securing this platform is a top priority for the browser team.
• This bounty includes Remote Code Execution and Sandbox Escapes, as well as design-level security bugs.
• Always be sure to use the latest version released in the Windows 10 Technical Preview.
• Microsoft will pay up to $15,000 USD for security vulnerabilities reported in Project Spartan, you can see the specifics in the program terms. Don’t hesitate as the Project Spartan Bug Bounty will run from April 22, 2015 to June 22, 2015 .The bounties for Spartan are tiered by the difficulty of the issue reported, as well as the quality of the documentation and how reproducible the issue is.
Mitigation Bypass bounty and the Bonus bounty for Defence and novel methods to bypass active mitigation (e.g. ASLR and DEP) are both very active in Bounty Program of Microsoft, paying up to $100,000 USD and a bonus of up to $50,000 USD for actionable defence techniques to the reported bypass. New addition to this bounty was made with introduction of Hyper-V escape
• Guest-to-Host
• Guest-to-Guest
• Guest-to-Host DoS (non-distributed, from a single guest)
These important additions to the Bounty Programs reflect the continued shift and evolution of technology towards the cloud. They will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services and Security and Compliance Accreditations by third party audits.
Bug bounties are an increasingly important part of the vulnerability research and defence ecosystem of not only Microsoft but many other IT giants and will continue to evolve over time. Microsoft was however bit late to declare its bug bounty game compared to its competitors. To best protect its users, Microsoft is expected to regularly manage its Bounty Programs. Since June 2013, Microsoft has been rewarding security researchers for their hard work (up to $100,000 in some cases) in helping to improve its software and services. So you can go ahead and work on this new exciting products hoping to find security holes and get paid!! However, while working on these new software, make sure you are working on its latest version, else hard work is going to be in vain.
