As Azure continues to pick up steam with collaborative projects within the business, government, and educational sectors, Microsoft is taking steps to maintain the cloud services high level of security assurance. With Windows 10 and Project Spartan on the eve of their PC and mobile devices debut, Microsoft is also looking to get out ahead of potential browser and OS exploits. Microsoft announced today that it would be attempting to address all of these concerns by evolving its Online Services Bug Bounty and expanding the company's Microsoft Bounty Programs to include Azure, Windows 10 and Project Spartan.
As Online Services Bug Bounty Program grows, it will not envelope two of Microsoft’s new online services:
- Azure is Microsoft’s cloud platform and the backbone of Microsoft cloud services.
- This program will include a number of Azure services, such as: Azure virtual machines, Azure Cloud Services, Azure Storage, Azure Active Directory and much more
- Sway.com is a web application that lets users express ideas in an entirely new way across many devices and platforms
- •Raising the maximum payout for the Online Services Bounty Program ◦We will pay up to $15,000 USD for critical bugs, as always, more for more impactful and better-documented bugs.
As for Windows 10 and Project Spartan the new bounties will include:
- Project Spartan Bug Bounty
- Microsoft’s new browser will be the onramp to the Internet for millions of users when Windows 10 launches later this year. Securing this platform is a top priority for the browser team.
- This bounty includes Remote Code Execution and Sandbox Escapes, as well as design-level security bugs.
- ◾Always be sure to use the latest version released in the Windows 10 Technical Preview
- Microsoft will pay up to $15,000 USD for security vulnerabilities reported in Project Spartan, you can see the specifics in the program terms. Don’t hesitate as the Project Spartan Bug Bounty will run from April 22, 2015 to June 22, 2015 ◾The bounties for Spartan are tiered by the criticality of the issue reported, as well as the quality of the documentation and how reproducible the issue is.
Lastly, Microsoft is updating its Mitigation Bypass bounty as well as the Bonus bounty for Defense. The idea is for contestants to find novel methods to bypass active mitigation like ASLR and DEP, which are present in the latest released version of Windows (specifically 8.1 and Server 2012 R2). Lucky hackers could earn up to $100,000 for the initial bypass and an additional $50,000 for offering actionable defense techniques for their findings. Microsoft also added a Mitigation Bypass bounty for Hyper-V escape, specifically for Guest-to-Host, Guest-to-Guest, and Guest-to-Host (non-distributed, from single guest).
These additions should also not only show Microsoft’s commitment to cloud technologies, but offer us some insight as to the direction the company plans to take in the future. The new programs will run alongside existing measures like Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework and Security and Compliance Accreditations from third party audits. Microsoft suffered a back in the late 90's and early 2000's when it came to security due to their massive install base, and heading into cloud infrastructures and newer OS’s and browsers, it feels like the company is looking to leave their security issues in the past.