Microsoft has launched a bug bounty programme for its Azure DevOps service, with some fairly chunky rewards for top level flaws.
As Redmond puts it, Azure DevOps “spans the breadth of the development lifecycle to help developers ship software faster and with higher quality. Azure DevOps Services is committed to providing rock-solid security, and as a part of that we believe in close partnerships with security researchers and our user community.”
The new scheme covers both Azure DevOps Services (or Visual Studio Team Services in old money) as well as the latest publicly available versions of Azure DevOps Server and Team Foundation Server.
The amount paid – at Microsoft’s discretion of course – will depend on both the severity of the bug, and the “report quality” of the submission, either low, medium of high.
“A high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue,” says Microsoft.
Thus bounties range from $500 for an “important” bug accompanied by a low quality report of “tampering”. Information disclosure and elevation of privilege bugs net between $1000 and $8000.
However, the really big money comes in spotting a remote code execution bug. An “important” bug accompanied by a low quality report earners $5000. A critical bug with a medium level report makes $15,000, while a high quality report on a critical bug hits the jackpot with $20,000.
However, when you consider the chaos that can ensue from a run of the mill bug in Microsoft’s services, the numbers may seem small beer. Azure DevOps’s users were hit by a search function bug back in October. In November, a multi-factor authentication bug hit users in the UK and beyond first thing on a Monday morning, compounding timeouts caused by an earlier bug over the weekend.