Azure security Lab will allow researchers to attack its cloud environment, but in a customer-safe way, Microsoft says.
In a process to find and locate bugs and vulnerabilities in its Azure cloud platform, Microsoft announced in public at the Black Hat USA 2019 that the tech giant will reward $300,000 to researchers who successfully attack and launch test exploits for the platform.
As per Azure Security Lab, Microsoft already had launched a specific Azure cloud host testing environment. The exclusive program will allow researchers to make attacks and test them on infrastructures-as-a-service (IaaS) on certain scenarios without impacting any customers. These hosts are separated from the ones that the customers use, a different Azure production for each party. This means that researchers will have more flexibility to test live exploits.
“The isolation of the Azure Security Lab allows us to offer something new: Researchers can not only research vulnerabilities in Azure, but they can also attempt to exploit them,” says Kymberlee.
“To make it easier for security researchers to confidently and aggressively test Azure, we are inviting a select group of talented individuals to come and do their worst to emulate criminal hackers in a customer-safe cloud environment called the Azure Security Lab,” Kymberlee Price, principal security PM manager for the Microsoft Community and Partner Engagement Programs, said in a blog post on Monday
Starting Monday, researchers with access to the Azure Security Lab may also try to make scenario-based challenges with the highest reward on record of $300,000. Researchers may contact and apply at Microsoft’s official website.
Microsoft announced that it would also double its bounty for any researcher who is able to discover any Azure vulnerabilities.
Last January, Microsoft launched a new program for discovering bugs and finding out flaws in Azure DevOps with rewards up to $20,000. Now the software giant is increasing this reward, reaching double of its original price.
Azure DevOps is a cloud-based system that enables collaboration on code development across the breadth of a scope of a development lifecycle; it was launched in 2018.
There are two in-scope services for the bounty program; they include Azure DevOps Services (formerly known as Visual Studio Team Services) and the latest publicly available version of azure DevOps Server and Team Foundation Server.
It’s the most recent bug bounty program initiated by the tech giant; in fact, $4.4 million dollars in bounty rewards was already issued by Microsoft over the past 12 months across various programs.
In July, Microsoft started a bug bounty program offering an amount as high as $100,000 for holes in identity services and implementations of the OpenID standard.
These contain Microsoft Account and Azure Active Directory, which offer identity and access ability for both consumer and enterprise applications – as well as its OpenID authentication protocol.
Safe harbor terms were also implemented by Microsoft on Monday, with conditions clearly outlining how researchers can report bugs without facing any legal repercussions.
“Microsoft is committed to ensuring our cloud is secure from modern threats,” said Price. “We built Azure with security in mind from the beginning, and work to help customers secure their Azure cloud environment with products such as Azure Sentinel and Azure Security Center. And if a situation arises, our Cloud Defense Operation Center (CDOC) and security teams work around the clock to identify, analyze, and respond to threats in real-time.”
There was also an instance where Instagram, a Facebook-owned photo-sharing platform, recently patched up an issue where hackers can take over accounts of users in a matter of 10 minutes. Facebook’s bug bounty program encourages white-hat hackers to discover and find ways that Facebook’s and its subsidiaries’ system can be exploited.
“Facebook is constantly working to improve its security controls on all of their platforms. As a part of it, they recently increased reward payouts for all critical vulnerabilities, including account takeovers. So I decided to try my luck on Facebook and Instagram. Fortunately, I was able to find one on Instagram,” the hacker who found the vulnerability posted.
Companies make bug-finding procedure to be very productive for both of them and the researchers. Finding a bug in a system would garner white-hat hackers the prize amount, and if no bugs found, this would mean that the company’s security is precise and could not be hacked.