Microsoft's bug bounty programs reinforce a commitment to secure and stable products while increasing the cadence of tools development and release within Microsoft.
In the wake of a recent Microsoft MVP Summit, I’ve gained new insight into just how many moving pieces there are within the suite of products and applications offered by Microsoft. It’s not just about having a functional product today--it’s also about laying the groundwork for the roadmap of changes to come.
Of course, bugs are a problem for users and software development companies alike. A bug or unhandled error can force development teams to delay releases or, even worse, cause customers to lose faith in the product. By laying down a bounty program, Microsoft not only publicly asserts that its products are stable and secure, but also provides internal incentives to release only stable code because hard money is on the line.
As Microsoft continues to become a player in open source technologies--and through the acquisition of GitHub, DevOps facilitation products--Azure DevOps Server and Azure DevOps Studio will be the face of Microsoft for many developers who may have shied away from the company and its products in the past.
It’s important for Microsoft to get this right, and it's on the right path with bounty programs like the one in place for Azure DevOps Server. The platform joins Azure DevOps Services and Team Foundation Server in supporting collaborative development between developers and teams in today’s continuous integration and development world. Microsoft’s Security Response Center (MSRC) wants to ensure these products provide a highly secure environment for customers and is placing its money where its code is.
A bounty of $500 to $20,000 will be awarded at the discretion of the MSRC for qualifying items and products included in the scope of the bounty program that meets the Microsoft Bounty Terms and Conditions. The bounty is inclusive of:
- Azure DevOps Services
- Latest publicly accessible versions of both Azure DevOps Server and Team Foundation Server
As one would expect, the size of the bounty depends upon the scale of the vulnerability and the possible impact on end users along with other eligibility requirements:
- Vulnerability must be unreported and in at least one of the in-scope products/services.
- Web application vulnerabilities must impact one of the supported browsers for the in-scope products or a supported plug-in.
- The submission must also include “clear, concise” steps that must be reproducible.
- Submitted steps can be provided in text or video format.
- Must provide enough information for Microsoft engineers to quickly reproduce and understand.
Not all vulnerabilities are considered in scope for the bounty--even if they’re pertinent to one of the covered products or services and meet the eligibility requirements above. Vulnerabilities that are not core to the product--such as third-party extensions--or are not unique to these services and products such as IIS, OpenSSL, etc., are out of scope. A complete list of out-of-scope vulnerabilities can be found on the Microsoft Azure DevOps Bounty Program page.
Provide your submission through email at [email protected]. Submissions must meet Microsoft’s standard submission guidelines provided in their Report an Issue FAQ page here, and potential security sleuths are being requested to follow the Coordinated Vulnerability Disclosure guidelines published here. Microsoft reserves the right to reject any submission that it deems ineligible.
You can visit the Microsoft website for more details on the complete bounty program for Azure DevOps.