Microsoft Announces Bug Bounty Program to Hack the Security of Azure Sphere its Custom Linux OS
Microsoft is offering a $100,000 bug bounty program to hack its custom Azure Sphere Linux operating system (OS). The Microsoft Azure Sphere Security Research Challenge gives white-hat hackers three months to test, find security flaws in, and improve the security of Azure Sphere. Two awards of $100,000 plus bonuses are available for the ability to hack into the OS. Azure Sphere provides cloud-based security service using Microsoft’s Linux-based operating system (OS).
The platform provides security for microcontroller unit (MCU) powered devices to securely connect to the internet. The application is intended for Internet of Things (IoT) devices like lighting, toys, appliances, and consumer devices.
Participants must successfully execute code in the Pluton security subsystem or in Secure World mode to win an award. On top of the eligible vulnerability reports, additional awards are available for more elevated vulnerabilities such as the ability to spoof device authentication.
- 20% additional awards for vulnerabilities rated Critical
- 10% additional awards for vulnerabilities rated Important
To become eligible for this Azure Sphere Security Research Challenge participants must apply online and await approval. One accepted they will receive
What is Azure Sphere?
Azure Sphere is an application platform with built-in communication, control, and security features for internet-connected devices. Microsoft explains, “An Azure Sphere MCU, along with its operating system and application platform, enables the creation of secured, internet-connected devices that can be updated, controlled, monitored, and maintained remotely.”
What is Bug Bounty?
Big bounty programs are official and legal programs to allow white-hack hackers help corporations, software developers, system administrators, and security researchers find vulnerabilities in their applications, software, hardware, and networks. This is one way a legal hacker can earn money from their computer skills. Many companies run continuous rewards programs that provide a conduit for cyber security professionals to help them earn money while helping the company secure their systems. Bug bounty programs use the information discovered by the hackers to secure their applications and environments.
The idea behind a bug bounty program is to get information related to all levels of security flaws fixed before they are exploited in the wild. When a security flaws is discovered, but not yet patched, it is known as a zero-day vulnerability. If a security flaw is serious or critical, it may be used to hack into accounts or systems before the developer implements a fix. Often details about a security flaw are not published until an update has spread to enough affected systems.
Information about known security bugs can be seen in official list of Common Vulnerabilities and Exposures.
Both Microsoft and Google each run a continuous bug bounty program offering cash rewards for those who find and report bugs.
The Azure Sphere Security Research Challenge starts on June 1, 2020 and lasts three months. Participants must apply by May 15, 2020. Although the Azure Sphere Security Research Challenge is only for the Azure Sphere operating system, other vulnerabilities may be eligible for the public Azure Bounty Program awards.