And we’ll even pay you if you manage to do it, company says

May 7, 2020 04:06 GMT  ·  By

Microsoft has announced a new bounty that invites security researchers to break into its custom Linux operating system powering the Azure Sphere OS.

The company is paying up to $100,000 as part of the Azure Sphere Security Research Challenge, in its turn an expansion of the Azure Security Lab.

While you must enroll in the research program by May 15 this year, the bounty program itself will be available from June 1 to August 31 for accepted applications.

Microsoft says it’s specifically looking for hacks that would allow attackers to gain the ability to execute code on Pluton and on Secure World, and such exploits are rewarded with $100,000.

“This research challenge is focused on the Azure Sphere OS. Vulnerabilities found outside the research initiative scope, including the Cloud portion, may be eligible for the public Azure Bounty Program awards. Physical attacks are out of scope for this research challenge and the public Azure Bounty Program,” the company explains.

Microsoft and bug bounty programs

Microsoft is betting big on bounty programs to improve the security of its software, and until now, the company launched similar programs for several key products, including Windows, Microsoft Edge browser, and Microsoft Office.

Researchers are awarded bounties of up to $30,000 for critical vulnerabilities in Edge browser and up to $15,000 if they find flaws in Office Insider builds. On the other hand, a critical RCE flaw in Microsoft Hyper-V is rewarded with up to $250,000.

“Microsoft recognizes security is not a one-and-done event. Risks need to be mitigated consistently over the lifetime of a constantly growing array of devices and services. Engaging the security research community to research for high-impact vulnerabilities before the bad guys do is part of the holistic approach Azure Sphere is taking to minimize the risk,” the company says.

If you want to apply for the new research program, you need to submit your application on this page.