Microsoft asked hackers to “come and do their worst” as it unveiled a dedicated security Lab for Azure and jacked up the bounty on offer for researchers who put its online platform to the test to as much as $300,000.
The company chose the Black Hat Conference in Las Vegas to announce it was “inviting a select group of talented individuals to come and do their worst to emulate criminal hackers in a customer-safe cloud environment called the Azure Security Lab.”
The idea of Microsoft inviting hackers to come and play on Azure might be expected to put the wind up the increasing number of enterprises who are moving large chunks of their tech operations to Azure.
However, Microsoft was at pains to point out “The Azure Security Lab is a set of dedicated cloud hosts for security researchers to test attacks against IaaS scenarios, and which is isolated from Azure customers.”
“The isolation of the Azure Security Lab allows us to offer something new: researchers can not only research vulnerabilities in Azure, they can attempt to exploit them,” Kymberlee Price, Principal Security PM Manager, wrote in a blog post.
“Those with access to the Azure Security Lab may attempt the scenario-based challenges with top awards of $300,000.” This is on top of a doubling of the bounty for spotting Azure vulnerabilities to $40,000.
According to the bounty page, that $300,000 prize is available to the registered researcher who demonstrates “a functional exploit enabling an escape from a guest VM to the host or to another guest VM.”
A $300,000 jackpot also applies for any researcher demonstrating a way to “Obtain administrative access to the Azure Security Lab subscription”.
Demonstrating a “method of denial of service to the Azure host” gets you $50,000. The scale goes down to $500 for demonstrating low level “tampering”.
Price said successful applicants for the programme would be able to “engage directly with Microsoft Azure security experts.”
They will also get “access to quarterly campaigns for targeted scenarios with added incentives, as well as regular recognition and exclusive swag.” So, if you don’t get the $300,000, you can always get a baseball hat.