Microsoft Offering Up to $100,000 for Vulnerabilities in Azure Sphere

Microsoft announced a new security research challenge that encourages white hat hackers to find and responsibly disclose vulnerabilities in the company’s Azure Sphere solution.

Azure Sphere is an IoT security solution designed to provide end-to-end security across hardware, operating system and the cloud.

In an effort to identify potentially serious vulnerabilities in Azure Sphere, Microsoft has decided to run a three-month application-only challenge.

Hackers can apply for the Azure Sphere Research Challenge until May 15, and the challenge will run between June 1 and August 31. Researchers whose applications have been accepted will receive an email from Microsoft.

This new initiative, an expansion of the Azure Security Lab project announced last year, invites researchers to find vulnerabilities that would allow them to execute code on the Pluton security subsystem, which is the hardware-based secured root of trust for Azure Sphere, or in the Secure World operating environment of the Azure Sphere application platform. Microsoft is prepared to pay out up to $100,000 for these types of exploits.

While this research focuses on the Azure Sphere OS, vulnerabilities in other components could still receive a reward through the public Azure bug bounty program.

For the Azure Sphere Research Challenge, Microsoft has teamed up with several cybersecurity solutions providers, including Avira, Baidu, Bitdefender, Bugcrowd, Cisco, ESET, FireEye, F-Secure, HackerOne, K7 Computing, McAfee, Palo Alto Networks and Zscaler.

“While Azure Sphere implements security upfront and by default, Microsoft recognizes security is not a one-and-done event. Risks need to be mitigated consistently over the lifetime of a constantly growing array of devices and services. Engaging the security research community to research for high-impact vulnerabilities before the bad guys do is part of the holistic approach Azure Sphere is taking to minimize the risk,” Microsoft said.


via:  securityweek


Save pagePDF pageEmail pagePrint page

Leave a Reply

Your email address will not be published. Required fields are marked *