Microsoft Bug Bounty Hits $100,000 for IoT Vulnerabilities

The top prizes for bug bounties have crept steadily upwards in recent years. Last year, for example, Google offered a cool $1.5 million to whoever could uncover a certain kind of Android bug. Now Microsoft’s offering $100,000 to anyone who can discover vulnerabilities in its Azure Sphere.

Azure Sphere is a little different than the typical system that’s open to a bug bounty. Most of the time, companies let the crowd loose on a website or the public-facing parts of an app, and the bug bounty rules explicitly forbid people from trying to crack mission-critical systems or databases with sensitive information. Azure Sphere, on the other hand, is a platform for maintaining and updating Internet of Things (IoT) devices via the cloud; it’s a big, complex, important environment.

Given the complexity and importance, Microsoft isn’t letting anyone with a web connection and a spare weekend take a run at it; it wants people to apply for a three-month “security research challenge” (named the Azure Sphere Security Research Challenge) before they can begin picking at Azure Sphere’s weaknesses. Two key scenarios will unlock that aforementioned $100,000 reward: figuring out how to execute code on Pluton, and figuring out how to execute code on Secure World

“This research challenge is focused on the Azure Sphere OS,” read Microsoft’s blog posting on the matter. “Vulnerabilities found outside the research initiative scope, including the Cloud portion, may be eligible for the public Azure Bounty Program awards. Physical attacks are out of scope for this research challenge and the public Azure Bounty Program.”

Fortunately, applicants to the program also have access to Azure Sphere’s development kit and product documentation, as well as “direct communication channels with the Microsoft team.” 

“The Azure Sphere Security Research Challenge partnership brings Microsoft together with AviraBaidu International TechnologyBitdefenderBugcrowdCisco Systems Inc (Talos)ESETFireEyeF-Secure CorporationHackerOneK7 ComputingMcAfeePalo Alto Networks and Zscaler, who all bring expertise in IoT security research,” the blog added. “This kind of collaboration compliments Microsoft’s internal work to secure the ecosystem, as digital transformation leads more and more customers to the cloud, where connected IoT devices must be secured.”

Microsoft has paid out substantial bug bounties before. For instance, ahead of the 2019 edition of the Black Hat security conference, it announced a $300,000 prize for anyone who could figure out a virtual machine escape (demonstrating “a functional exploit enabling an escape from a guest VM to the host or to another guest VM”), as well as $40,000 prizes for finding critical targets in Azure. 

Even before the COVID-19 pandemic, cybersecurity attacks on companies were on the rise. One report from late last yearfound that 88 percent of chief information security officers (CISOs) consider themselves under moderate or high levels of stress. While bug bounties and crowdsourced researching can alleviate some of this pressure—just ask the Pentagon, which is now relying on “white hat” hackers to find timely vulnerabilities—those are just one part of companies’ overall cybersecurity preparedness.