Microsoft Rang Up Over $370K in Azure Sphere Bug Bounties
Microsoft has shelled out $374,300 in security bounties as part of its Azure Sphere Security Research Challenge, the company said this week.
Through the program, which ended on Tuesday, Microsoft enlisted 70 researchers from 21 countries to buttress its Azure Sphere Internet of Things (IoT) security solution. Of the 20 "critical" or "important" vulnerabilities that the researchers found, 16 were eligible under the terms of the program, amounting to $374,300 in bounty awards.
"Many of the vulnerabilities found during the research challenge were novel and high impact, and led to major security improvements for Azure Sphere," Microsoft said in a blog post.
The highest bounty was $48,000, while the lowest was $3,300.
"Over the course of the challenge, we received a total of 40 submissions, of which 30 led to improvements in our product," Microsoft said in a separate post. "The other 10 submissions identified known areas where potential risk is specifically mitigated in another part of the system -- something often referred to in the field as 'by design.'"
Three "general scenarios" for which disclosures were submitted include:
- Anything allowing execution of unsigned code that isn't pure return oriented programming (ROP) under Linux.
- Anything allowing elevation of privilege outside of the capabilities described in the application manifest (e.g. changing user ID, adding access to a binary).
- Ability to modify software and configuration options (except full device reset) on a device in the manufacturing state DeviceComplete when claimed to a tenant you are not signed into and have no saved capabilities for.
Microsoft singled out Cisco Talos and McAfee Advanced Threat Research (ATR) in particular for finding several important vulnerabilities
McAfee ATR published its own extensively detailed post about its efforts in the program.
David Ramel is an editor and writer for Converge360.