News

Microsoft Rang Up Over $370K in Azure Sphere Bug Bounties

Microsoft has shelled out $374,300 in security bounties as part of its Azure Sphere Security Research Challenge, the company said this week.

Through the program, which ended on Tuesday, Microsoft enlisted 70 researchers from 21 countries to buttress its Azure Sphere Internet of Things (IoT) security solution. Of the 20 "critical" or "important" vulnerabilities that the researchers found, 16 were eligible under the terms of the program, amounting to $374,300 in bounty awards.

"Many of the vulnerabilities found during the research challenge were novel and high impact, and led to major security improvements for Azure Sphere," Microsoft said in a blog post.

The highest bounty was $48,000, while the lowest was $3,300.

"Over the course of the challenge, we received a total of 40 submissions, of which 30 led to improvements in our product," Microsoft said in a separate post. "The other 10 submissions identified known areas where potential risk is specifically mitigated in another part of the system -- something often referred to in the field as 'by design.'"

Three "general scenarios" for which disclosures were submitted include:

  • Anything allowing execution of unsigned code that isn't pure return oriented programming (ROP) under Linux.
  • Anything allowing elevation of privilege outside of the capabilities described in the application manifest (e.g. changing user ID, adding access to a binary).
  • Ability to modify software and configuration options (except full device reset) on a device in the manufacturing state DeviceComplete when claimed to a tenant you are not signed into and have no saved capabilities for.

Microsoft singled out Cisco Talos and McAfee Advanced Threat Research (ATR) in particular for finding several important vulnerabilities

McAfee ATR published its own extensively detailed post about its efforts in the program.

About the Author

David Ramel is an editor and writer for Converge360.

Featured

  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

  • Microsoft Open License To End Next Year for Government and Education Groups

    Microsoft's "Open License program" will end on Jan. 1, 2022, and not just for commercial customers, but also for government, education and nonprofit organizations.

comments powered by Disqus