View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 5, 2019updated 06 Aug 2019 7:59am

Invitation Only “Azure Security Lab” Will Pay Out $300k for VM Escapes

"Confidently and aggressively test Azure"

By CBR Staff Writer

Microsoft says it is launching a sandbox dubbed the “Azure Security Lab” that will pay out $300,000 to security researchers who can demonstrate a functional exploit that enables escape from a guest Virtual Machine (VM) to the host or to another guest VM.

(The company, like thousands of others, offers a comprehensive bug bounty programme, through which security researchers can get paid for submitting proof that they have found a way to exploit a given company’s hardware or software.)

The Azure Security Lab will spin up Windows Server 2019 or Ubuntu Linux VMs. Security researchers wanting to get stuck in need to fill in an application form.

“To make it easier for security researchers to confidently and aggressively test Azure, we are inviting a select group of talented individuals to come and do their worst to emulate criminal hackers in a customer-safe cloud environment,” Microsoft said.

“We have a limited number of hosts available in the Azure Security Lab, so access is by application only.  Azure Security Lab scenario awards are only offered for the exploit scenarios above and must be performed within the Azure Security Lab,” it said.

Microsoft is also doubling the top bug bounty reward for Azure vulnerabilities to $40,000 – this spans critical remote code executions and privilege escalations. It says it has paid out $4.4 million in bounties over the past 12 months.

See also: HackerOne CEO Mårten Mickos on the Devil, Zero Days, and the Powers of a “Hacker Army”

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

The company has also formalised protections for security researchers against the threat of legal action, saying: “To encourage research and responsible disclosure of security vulnerabilities, we will not pursue civil or criminal action, or send notice to law enforcement for accidental or good faith violations of Microsoft Bug Terms and Conditions. We consider security research and vulnerability disclosure activities conducted consistent with this policy to be “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws.

“We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in our bug bounty programs’ scope

“If legal action is initiated by a third party, including law enforcement, against you because of your participation in this bug bounty program, and you have sufficiently complied with our bug bounty policy (i.e. have not made intentional or bad faith violations), we will take steps to make it known that your actions were conducted in compliance with this policy.

Topics in this article : , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.