Microsoft Azure DevOps Bounty Program (original) (raw)

PROGRAM DESCRIPTION

Azure DevOps Services It spans the breadth of the development lifecycle to help developers ship software faster and with higher quality. Azure DevOps Services is committed to providing rock-solid security, and as a part of that we believe in close partnerships with security researchers and our user community. We invite eligible researchers to identify security vulnerabilities in targeted Azure DevOps services and products and share them with our team. Qualified submissions are eligible for bounty awards from $1,250 to $20,000 USD. This includes third-party and open-source components included in the service. Please note that qualifying reports must demonstrate a qualifying security impact on the specified service.

ELIGIBLE SUBMISSIONS

The goal of the Microsoft Bug Bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers.

In addition to the eligibility requirements listed on the Bounty Program Guidelines page, vulnerability submissions must meet the following criteria to be eligible for bounty awards:

• Web application vulnerabilities must impact supported browsers for Azure DevOps services and Azure DevOps Server and/or plug-ins
• We request researchers include the following information to help us quickly assess their submission:
• Submit through the MSRC Researcher Portal.

Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.

SCOPE

Vulnerabilities submitted in the following Product(s) are eligible under this bounty program:

• Azure DevOps Services (formerly Visual Studio Team Services)
• The latest publicly available versions of Azure DevOps Server and Team Foundation Server

GETTING STARTED

Please follow the guidance below to create a test account for security testing and probing. Additionally, please follow the Research Rules of Engagement to avoid harm to customer data, privacy, and service availability.

In all cases, where possible, please include the string “MSOBB” in your account name and/or tenant name to identify it as being used for security research.

To learn about Azure DevOps, please see our documentation site.

Sign up for an Azure DevOps account or download a free trial of Azure DevOps Server.

AWARDS

Bounty awards range from 1,250upto1,250 up to 1,250upto20,000. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. If a single submission is eligible for multiple awards, the submission will be awarded the single highest qualifying award.

Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgement if their submission leads to a vulnerability fix.