Microsoft has some very good news for bug hunters: not only has the company doubled the top bounty reward for vulnerabilities discovered in its Azure cloud computing service, but has also created an isolated testing environment that will allow researchers to try to exploit them.
The Azure Security Lab
“The Azure Security Lab is a set of dedicated cloud hosts for security researchers to test attacks against IaaS scenarios, and which is isolated from Azure customers,” Microsoft Security Community and Partner Engagement Manager Kymberlee Price explained.
“As well as offering a secure testing space, the lab program will enable participating researchers to engage directly with Microsoft Azure security experts. Accepted applicants will have access to quarterly campaigns for targeted scenarios with added incentives, as well as regular recognition and exclusive swag.”
There’s only a limited number of hosts available in the Azure Security Lab, so access is by application only. Applicants can request the provisioning of a Windows Server 2019 or Ubuntu Linux VM, and may use it to attempt an VM escape exploit (top award $300,000) or a DoS attack on the host (top award $50,000).
All researchers, not just those who have access to the Lab, are invited to attempt to obtain administrative access to the Azure Security Lab subscription (top award $300,000).
More details about the Azure Bounty Program are available here.
Written assurances for researchers
Microsoft has also put in writing the principle of Safe Harbor for researchers.
“We want you to responsibly disclose through our bug bounty programs, and don’t want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy,” the company stated.
“We will not pursue civil or criminal action, or send notice to law enforcement for accidental or good faith violations of Microsoft Bug Terms and Conditions. We consider security research and vulnerability disclosure activities conducted consistent with this policy to be ‘authorized’ conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as WA Criminal Code 9A.90. We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in our bug bounty programs’ scope.”
Bug hunters who are not sure whether some of their actions might violate the policy are urged to ask for clarification before engaging in them.
But, Microsoft warned, if their research involves the networks, systems, information, applications, products, or services of a third party, they “cannot bind that third party, and they may pursue legal action or law enforcement notice.”