Microsoft launches Azure DevOps bug bounty program

eBook: The DevOps Roadmap for Security - Tips and tools for bridging the security tribe into DevOps. Download →

Microsoft has launched yet another bug bounty program and is urging security researchers to look into the security of Azure DevOps, its cloud service for collaborating on code development.

Azure DevOps bug bounty

About the program

The services and products that are in scope of this new bug bounty program are:

  • Azure DevOps Services (formerly Visual Studio Team Services)
  • The latest publicly available versions of Azure DevOps Server and Team Foundation Server.

Researchers can earn between $500 and $20,000 for successful submissions – the final amount depends on their quality and complexity and on the security impact of the discovered vulnerability (or vulnerabilities).

In-scope vulnerabilities include XSS and CSRF bugs, cross-tenant data tampering or access, insecure direct object references, insecure deserialization, injection vulnerabilities, server-side code execution flaws, significant security misconfiguration (not caused by user), using component with known vulnerabilities, and unauthorized cross-tenant data tampering or access.

Researchers needn’t bother with flagging Denial of Service bugs and are prohibited from doing DoS testing or automated testing of services. As is usual in such programs, phishing or social engineering attacks against employees are off limits.

They also won’t be getting paid for vulnerabilities based on user configuration or action, vulnerabilities based on third parties (e.g., in third-party extensions or software provided by Azure), or server-side information disclosure bugs, cookie replay vulnerabilities, or users/tenants enumeration vulnerabilities.

“Security has always been a passion of mine, and I see this program as a natural complement to our existing security framework,” noted Buck Hodges, Director of Engineering for Azure DevOps.

“We’ll continue to employ careful code reviews and examine the security of our infrastructure. We’ll still run our security scanning and monitoring tools. And we’ll keep assembling a red team on a regular basis to attack our own systems to identify weaknesses.”

More information about the program can be found here. For more information about Microsoft’s other bug bounty programs go here.