The Microsoft Security Response Center (MSRC) has announced the creation of a bug bounty program for Azure DevOps services.

On 17 January, MSRC said it would begin awarding bounties of up to $20,000 for reports on eligible vulnerabilities affecting Azure DevOps, a cloud service which helps developers collaborate on code across the entire development lifecycle.

Buck Hodges, director of engineering for Azure DevOps, fully supports the addition of this new program to Microsoft’s existing bug bounty suite and says it won’t replace security measures which Microsoft currently uses to test its service. As he explained in a blog post:

Security has always been a passion of mine, and I see this program as a natural complement to our existing security framework. We’ll continue to employ careful code reviews and examine the security of our infrastructure. We’ll still run our security scanning and monitoring tools. And we’ll keep assembling a red team on a regular basis to attack our own systems to identify weaknesses.

Under the parameters of the Microsoft Azure DevOps Bounty Program, security researchers must submit a report detailing an unreported vulnerability that affects either Azure DevOps Services (formerly Visual Studio Team Services) or the latest publicly available versions of Azure DevOps Server and Team Foundation Server. Each report should include steps through which Microsoft’s engineers may reproduce an issue so that they can fix it as quickly as possible.

A variety of vulnerabilities are in-scope of the bug bounty program. For instance, participants may receive up to $20,000 for submitting a high-quality report on a “critical” remote code execution flaw. They can receive bounties in the amount of several thousands of dollars for sharing a “critical” or “important” elevation of privilege or information disclosure flaw with the tech giant, by comparison. Further down on the (Read more...)