Microsoft announces limited Azure Sphere bug bounty program

Microsoft has announced a new security research / bug bounty program aimed at testing and improving the security of Azure Sphere, its comprehensive IoT security solution.

Azure Sphere bug bounty

The challenge will start on June 1, 2020 and will last three months. Aspiring participants must apply by May 15, 2020.

What is Azure Sphere?

“Azure Sphere is a secured, high-level application platform with built-in communication and security features for internet-connected devices,” Microsoft explains.

It consists of a secured, connected microcontroller unit (MCU), a custom high-level Linux-based operating system (the Azure Sphere OS), and a cloud-based security service that provides continuous, renewable security (the Azure Sphere Security Service).

Through the Azure Sphere Security Service, the MCU can securely connect to the cloud and web, and the service makes sure that the booted software is genuine, that OS security updates are downloaded and installed securely and automatically.

About the Azure Sphere bug bounty program

This new bug bounty program – or, as Microsoft calls it, security research challenge – is an expansion of the Azure Security Lab and will focus on the Azure Sphere OS.

“Vulnerabilities found outside the research challenge scope, including the Cloud portion, may be eligible for the public Azure Bounty Program awards,” the company noted.

Researchers that demonstrate the ability to execute code on Pluton, the security subsystem that implements a hardware-based root of trust for Azure Sphere, or Secure World, the application platforms’ Secure World operating environment, will be eligible to receive up to $100,000 for their efforts.

Reports about security vulnerabilities that could lead to execution of unsigned code that isn’t pure return oriented programming (ROP), device authentication spoofing, firewall alteration, and so on will also be rewarded.

“While Azure Sphere implements security upfront and by default, Microsoft recognizes security is not a one-and-done event,” the MSRC team noted.

“Risks need to be mitigated consistently over the lifetime of a constantly growing array of devices and services. Engaging the security research community to research for high-impact vulnerabilities before the bad guys do is part of the holistic approach Azure Sphere is taking to minimize the risk.”

Don't miss