At Black Hat 2019 today, Microsoft announced the Azure Security Lab, a sandbox-like environment for security researchers to test its cloud security. The company also doubled the top Azure bug bounty to $40,000.
Bug bounty programs are a great complement to existing internal security programs. They help motivate individuals and groups of hackers to not only find flaws but disclose them properly, instead of using them maliciously or selling them to parties that will. Microsoft shared today that it has issued $4.4 million in bounty rewards over the past 12 months.
The Azure Security Lab takes the idea to the next level. It’s essentially a set of dedicated cloud hosts isolated from Azure customers so security researchers can test attacks against cloud scenarios. The isolation means researchers can not only research vulnerabilities in Azure, they can attempt to exploit them.
The Azure Security Lab isn’t open to the public — you have to apply. Microsoft is promising quarterly campaigns for targeted scenarios with added incentives, including exclusive swag. Security researchers will also be able to engage directly with Azure security experts.
“We have new scenario-based challenges with additional bounty awards of up to $300,000 in the Azure Security Lab. Throughout the year, more than $2 million of scenario bounty rewards will be offered to Azure Security Lab participants,” Kymberlee Price, Microsoft’s security community manager, told press ahead of the announcement. “The first scenarios will focus on breaking VM-based tenant isolation on Azure.”
Microsoft today also formalized its two-decade Safe Harbor commitment. These principles ensure security researchers receive recognition for their work.
Azure is Microsoft’s current cash cow. Securing its cloud is paramount not just to competing with Amazon Web Services and Google Cloud, but to Microsoft’s overall growth.