Microsoft Security Response Center (MSRC) advertised today the launch of a bug bounty program targeting the Azure DevOps services and the latest release of Azure DevOps server.
Azure DevOps is a cloud service for developers who want to collaborate with their team while coding, with tools and features designed to cover the entire span of the development lifecycle to make it easier to ship their software products a lot faster and with higher quality.
According to Redmond, starting January 17, the Azure DevOps Bounty program will come with rewards between $500 and $20,000, depending on the severity and impact of the submitted vulnerabilities and exploitation techniques, as well as the quality of each submission.
In-scope services and products:
Azure DevOps Services (formerly Visual Studio Team Services)
The latest publicly available versions of Azure DevOps Server and Team Foundation Server
The new bug bounty program will allow Microsoft to discover notable vulnerabilities with a direct and verifiable impact on the security of DevOps customers.
For vulnerability submissions which are out of the scope of the Azure DevOps Bounty program, Microsoft will offer the security researchers public recognition by adding them to the Online Service Acknowledgements page.
As detailed by Microsoft, eligible vulnerability submissions should:
- Identify a previously unreported vulnerability in one of the in-scope services or products
- Web application vulnerabilities must impact supported browsers for Azure DevOps services and Azure DevOps Server and/or plug-ins
- Include clear, concise, and reproducible steps, either in writing or in video format
- Provide our engineers with the information necessary to quickly reproduce, understand, and fix the issue. This allows submissions to be processed as quickly as possible and supports the higher bounty awards
Bounty awards vary greatly according to the security impact of the reported vulnerability, ranging from $20,000 for a remote code execution submitted through a high-quality report down to $500 for a low-quality report of a tampering security issue.
Further details on what vulnerabilities are in-scope or out-scope of this bounty program are provided here, together with what activities are forbidden while researching for security issues in bounty-eligible Microsoft online services.
All Microsoft bug bounty programs are governed by the Microsoft Bounty Terms and Conditions available on its MSRC website.