Microsoft Azure Bounty | MSRC (original) (raw)

PROGRAM DESCRIPTION

Microsoft Azure is an ever-expanding set of cloud computing services to help organizations build, manage, and deploy applications on a massive, global network using their preferred tools and frameworks. The Microsoft Azure Bounty Program invites researchers to identify vulnerabilities in Azure products and services and share them with our team. Qualified submissions are eligible for bounty awards from $1,250 to $60,000 USD. This includes third-party and open-source components included in the service. Please note that qualifying reports must demonstrate a qualifying security impact on the specified service.

ELIGIBLE SUBMISSIONS

The goal of the Microsoft Bug Bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers.

In addition to the eligibility requirements listed on the Bounty Program Guidelines page, vulnerability submissions must meet the following criteria to be eligible for bounty awards:

• Identify a vulnerability in Azure Products that was not previously reported to, or otherwise known by, Microsoft.
• Such vulnerability must be of Critical or Important severity and must be reproducible on the latest, fully patched version of the in-scope products or services.

We request researchers include the following information to help us quickly assess their submission:

• Submit through the MSRC Researcher Portal.
• Indicate in the vulnerability submission which high impact scenario (if any) your report qualifies for.
• Describe the attack vector for the vulnerability.

Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.

SCOPE

Vulnerabilities submitted in the following Product(s) are eligible under this bounty program:

• Azure Products

GETTING STARTED

Please follow the guidance below to create a test account for security testing and probing. Additionally, please follow the Research Rules of Engagement to avoid harm to customer data, privacy, and service availability.

• For Azure services, you can start a free trial to use as your test account here, and learn more about Azure with Getting Started Guide for Developers and the Azure documentation site.
• For Microsoft Account, you can set up your test account here.
• Follow the Azure Blog and Twitter to learn about the latest features and releases.

In all cases, where possible, please include the string “MSOBB” in your account name and/or tenant name to identify it as being used for security research.

BOUNTY AWARDS

Bounty awards range from 1,250upto1,250 up to 1,250upto60,000 USD. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. If a single submission is eligible for multiple awards, the submission will be awarded the single highest qualifying award.

Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgement if their submission leads to a vulnerability fix.

AZURE SECURITY LAB SCENARIO CHALLENGE

In Azure Security Lab scenario challenges, we provide more content and resources to better arm security researchers with the tools needed to research high-impact vulnerabilities in the cloud. Please see ongoing challenges on the Azure Security Lab page.