As a result, the discovery of a bug can net a significant amount, with up to $20,000 for a critical Remote Code Execution flaw. Meanwhile, a critical elevation of privilege flaw will net you $8,000. The lowest amount is $500 for a low-quality report of a tampering flaw.
“This program will help us provide the highest level of security for our customers, protect customer data, and ensure the availability of Azure DevOps,” said Buck Hodges, director of engineering, Azure Dev Ops, in a blog post. “I'm looking forward to seeing what we learn from working more closely with the security community.”
Internal Monitoring and Attacks
Bug bounties can be incredibly useful to companies, not as a replacement to internal teams, but to think outside the box and consider new avenues. Working in a closed environment tends to breed certain priorities and practices that can influence the way teams think about security.
“Security has always been a passion of mine, and I see this program as a natural complement to our existing security framework,” said Hodges. “We'll continue to employ careful code reviews and examine the security of our infrastructure. We'll still run our security scanning and monitoring tools. And we'll keep assembling a red team on a regular basis to attack our own systems to identify weaknesses.”
As usual, you can't just submit any bug and expect to get paid. Microsoft requires the bugs to have a “direct and demonstrable” impact on customer security. The bug must also be previously unreported and contain clear, concise, and repeatable steps for reproduction. You can find the full terms here.