Skip to main content
close search
site logo
Dive Brief

Azure bug bounty reaches $40K, Microsoft encourages participants to 'do their worst'

Published Aug. 6, 2019
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Kendall Davis for CIO Dive

Dive Brief:

  • Microsoft is doubling its top bug bounty award for Azure to $40,000, according to a company announcement Monday. 
  • In order for researchers to more "aggressively' pursue faults in Azure, Microsoft called on specific individuals to "do their worst" in emulating malicious actors. The exercises are carried out in the Azure Security Lab, a "customer-safe cloud environment."
  • The Azure Security Lab isolates research so individuals can look for vulnerabilities and exploit them. Scenario-based challenges elicit awards reaching $300,000.

Dive Insight:

Bug bounty programs are meant to fill the gaps in cybersecurity organizations. More than 60% of businesses struggle finding adequate cybersecurity talent.

A lack of role standardization and narrow job descriptions hinder companies' abilities to round out their security teams. 

In addition to supplementing talent or making up for where it's lacking, bug bounty programs allow companies to use outside knowledge of white hat hackers to find flaws.

As Microsoft puts it, "we work hard to earn your trust in the cloud, but we don't do it alone."

Companies that can't hire people that think like hackers rely on bug bounty programs to outsource those skills

Companies with broad attack services, like Verizon, with several brands existing under the parent company, use bug bounty programs to supplement their security red teams. Verizon-owned Yahoo started a public program in 2013, allowing essentially anyone on the internet to participate. 

Verizon Media, however, operates like Microsoft's Azure Security Lab, with invitation-only programs. 

Google's attack surface stretches across the search engine, YouTube, Google Cloud, applications and hardware devices. They are all eligible web services in its bug bounty program.

Participants can make more than $31,000 for finding a remote execution vulnerability, like command injection, deserialization bugs and sandbox escapes. 

Bug bounty programs, however, are not without risk. Participants, whether researchers or hackers, have the potential to gaslight a company. 

If hackers find a vulnerability severe enough, it could jeopardize customers' impression of the company's security standards.

But as for attracting truly bad actors to a bug bounty program, the odds are slim. Most programs have limitations on data access rights.

Filed Under: Security, Corporate

Editors' picks

Company Announcements

View all | Post a press release
Revenera Monetization Monitor 2025: Product Usage Insights Drive Better Roadmaps
From Revenera
November 25, 2024
Legion Technologies Partners with Vail Resorts to Expand Workforce Management Across 37 Resort…
From Legion Technologies
November 19, 2024
Unanet Acquires GovPro AI to Enable Customers to Win More Business
From Unanet
November 22, 2024
Newgen and Fadata Join Forces to Optimize Insurance Content Management
From Newgen Software
November 13, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell