Microsoft Paid for Azure Sphere Vulnerabilities Through Bug Bounty Challenge


On Tuesday, Microsoft revealed the conclusions of its three-month-long Azure Sphere Security Testing Challenge and the organisation claims it has paid participants more than $374,000.

Announced in May, the Azure Sphere Vulnerability Testing Challenge challenged vulnerability researchers to discover weaknesses in Azure Sphere, the Microsoft IoT security framework developed by the tech giant to provide end-to-end security throughout hardware , operating system, and cloud.

Microsoft said a total of 40 vulnerability reports were issued, 30 of which led to enhancements and 16 of which were eligible for a bug bounty. $48,000 was the highest payout paid out and $3,300 was the lowest.

For the Azure Sphere bug bounty challenge, Microsoft partnered up with many cybersecurity solution providers, including Avira, Baidu, Bitdefender, Bugcrowd, Cisco, ESET, FireEye, F-Secure, HackerOne, K7 Computing, McAfee, Palo Alto Networks and Zscaler. However, it states that some of the most important bugs were discovered by Cisco and McAfee.

A detailed study outlining its conclusions was released by McAfee and the organisation said it raised $160,000 in total, which it expects to donate to charity. By chaining six vulnerabilities, three of which were classified serious, the company’s researchers managed to achieve root access. McAfee ‘s results have included a previously discovered Linux kernel flaw.

The vulnerabilities found by its researchers have also been identified by Cisco Talos. They have found over a dozen problems, including execution of arbitrary code, denial-of – service (DoS), leakage of data, and shortcomings in privilege escalation. Talos also revealed some of the flaws it noticed in the Azure Sphere back in August.

This was our first extension of the Azure Security Lab, a project to provide researchers with additional tools across weekly office hours and opportunities for direct collaboration to help ignite new , high-impact analysis and establish near collaboration between the security testing group and the Microsoft engineering teams, “said Sylvie Liu, senior security programme manager at Micros.” “We firmly agree that this initiative and the imminent expansion of the Azure Security Lab will help our cloud and Azure Sphere continue to be secure, and we look forward to expanding the opportunities available to security researchers to promote high-impact analysis.”

Microsoft points out that through the Azure Bounty Scheme, which promises incentives of up to $40,000, bug bounty hunters will continue to disclose bugs discovered in the Azure Sphere.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.