Microsoft Pays Over $370,000 For Azure Sphere Bug Reports

Microsoft awarded over $370,000 in bounties to security researchers for 16 bounty eligible reports of vulnerabilities submitted through the Azure Sphere Security Research Challenge (ASSRC) IoT-focused research program.

Azure Sphere Security Research Challenge is a 3-month expansion to the Azure Security Lab bounty program Microsoft announced last year at Black Hat 2019.

The ASSRC expansion added to the already existent incentives, coordination framework, and support resources to make Coordinated Vulnerability Disclosure (CVD) easier for researchers and to stimulate further Azure Sphere research.

70 researchers from more than 20 countries submitted 40 vulnerability reports during the challenge that took place from June 1, 2020, through August 31, 2020, with 30 of these reports leading to improvements of the Azure Sphere IoT security solution.

Out of the 40 submissions, 16 were bounty-eligible amounting to $374,300 in awarded bounties. 10 of those that were not eligible “identified known areas where a potential risk is specifically mitigated in another part of the system—something often referred to in the field as ‘by design’.”

Also Read: What Legislation Exists In Singapore Regarding Data Protection and Security?

Microsoft awarded the bounties to researchers who were able to demonstrate their ability to execute code on the Azure Sphere application platform’s Secure World or the Microsoft Pluton security subsystem.

“Many of the vulnerabilities found during the research challenge were novel and high impact, and led to major security improvements for Azure Sphere in their 20.07, 20.08, and the latest 20.09 updates, which have been automatically pushed to Azure Sphere devices that are connected to the internet to help secure Azure Sphere customers,” Microsoft said.

“Security researchers from McAfee ATR and Cisco Talos reported some of the highest impact vulnerabilities in Azure Sphere, especially a full attack chain developed by McAfee ATR that exposed a weakness in the cloud and multiple weaknesses on the device including a previously unknown Linux kernel vulnerability.”

The researchers participating in the challenge achieved three of the general scenarios focused on several levels of the Azure Sphere OS:

• Anything allowing execution of unsigned code that isn’t pure return oriented programming (ROP) under Linux
• Anything allowing elevation of privilege outside of the capabilities described in the application manifest(e.g. changing user ID, adding access to a binary)
• Ability to modify software and configuration options (except full device reset) on a device in the manufacturing state

Researchers can still submit any Azure Sphere high impact vulnerabilities as part of the Microsoft Azure Bounty Program, with qualified submissions bein eligible for awards up to $40,000.

Microsoft also announced in August that it has awarded $13.7 million to researchers who reported vulnerabilities over the last 12 months through 15 bug bounty programs, between July 1st, 2019, and June 30th, 2020.

In 2020 alone, the company launched six new bug bounty programs and two new research grants, receiving 1,226 eligible vulnerability reports from 327 security researchers.

Microsoft also joined the Open Source Security Foundation (OpenSSF) as a founding member in August, together with GitHub, Google, IBM, JPMC, NCC Group, OWASP Foundation, and Red Hat.

We are excited to share the result of the 3-month Azure Sphere Security Research Challenge: researchers surfaced 20 Critical and Important severity security vulnerabilities, with Microsoft awarding $374,300 for 16 bounty eligible reports. More in our blog: https://t.co/8TyZZIr0cm

— Security Response (@msftsecresponse) October 6, 2020

Also Read: By Attending This Event You Agree To Be Photographed