Skip to content ↓ | Skip to navigation ↓

The Microsoft Security Response Center (MSRC) has announced the creation of a bug bounty program for Azure DevOps services.

On 17 January, MSRC said it would begin awarding bounties of up to $20,000 for reports on eligible vulnerabilities affecting Azure DevOps, a cloud service which helps developers collaborate on code across the entire development lifecycle.

Buck Hodges, director of engineering for Azure DevOps, fully supports the addition of this new program to Microsoft’s existing bug bounty suite and says it won’t replace security measures which Microsoft currently uses to test its service. As he explained in a blog post:

Security has always been a passion of mine, and I see this program as a natural complement to our existing security framework. We’ll continue to employ careful code reviews and examine the security of our infrastructure. We’ll still run our security scanning and monitoring tools. And we’ll keep assembling a red team on a regular basis to attack our own systems to identify weaknesses.

Under the parameters of the Microsoft Azure DevOps Bounty Program, security researchers must submit a report detailing an unreported vulnerability that affects either Azure DevOps Services (formerly Visual Studio Team Services) or the latest publicly available versions of Azure DevOps Server and Team Foundation Server. Each report should include steps through which Microsoft’s engineers may reproduce an issue so that they can fix it as quickly as possible.

A variety of vulnerabilities are in-scope of the bug bounty program. For instance, participants may receive up to $20,000 for submitting a high-quality report on a “critical” remote code execution flaw. They can receive bounties in the amount of several thousands of dollars for sharing a “critical” or “important” elevation of privilege or information disclosure flaw with the tech giant, by comparison. Further down on the bounty ladder, researchers may receive a $500 bounty for writing up a low-quality report on a spoofing or tampering weakness.

A screenshot of the bounty ladder for the Microsoft Azure DevOps Bounty Program.

Anyone who does participate in the program must agree to not do any kind of denial-of-service testing. They must also refrain from attempting phishing or other social engineering attacks against Microsoft’s employees.

Hodges is excited by how the program will help shape the future of Microsoft’s cloud service:

This program will help us provide the highest level of security for our customers, protect customer data, and ensure the availability of Azure DevOps. I’m looking forward to seeing what we learn from working more closely with the security community.

While Microsoft works to improve the security of Azure DevOps overall, customers themselves can take steps to secure their Azure configurations. Here are some best practice security fundamentals which they should keep in mind.