Microsoft has donated over $ 370.000 in bug bounties to security researchers for vulnerability reports submitted through the Azure Sphere Security Research Challenge (ASSRC) IoT-focused research program. The Azure Sphere Security Research Challenge is a 3 month extension to the bounty program of the Azure Security Lab announced by Microsoft in Black Hat 2019.
The ASSRC extension added to the existing incentives, coordination framework and support resources to make the Coordinated Vulnerability Disclosure (CVD) easier for researchers and further encourage Azure Sphere research.
According to BleepingComputer, 70 researchers from more than 20 countries submitted 40 vulnerability reports from 1 June 2020 to 31 August 2020, with 30 of these reports leading to improvements of the solution security of Azure Sphere IoT.
Microsoft awarded money to researchers who were able to prove their ability to execute code in the Secure World of the Azure Sphere application platform or in the Microsoft Pluton security subsystem.
In addition, the tech giant stated that many of the vulnerabilities identified during the research challenge were innovative and high impact, thus leading to significant security improvements for Azure Sphere on 20.07, 20.08 and the latest updates 20.09, which have been automatically forwarded to Appliances Azure Sphere that are connected to the Internet, to secure Azure Sphere customers and to expand Microsoft partnerships with the global IoT security research community.
The company added that security researchers at McAfee ATR and Cisco Talos reported some of the biggest impact vulnerabilities in the Azure Sphere, including a complete chain attack developed by McAfee ATR which reported a weakness in in cloud and many device vulnerabilities, including a previously unknown kernel vulnerability Linux.
The researchers involved in the challenge achieved three of the general scenarios that focused on different levels of the Azure Sphere operating system:
- Anything that allows you to execute unsigned code that is not pure ROP (Return Oriented Programming) with Linux.
- Anything that allows the scaling of privileges outside the features described in the application statement (eg change of user ID, add binary access).
- Ability to modify software and configuration options (except complete device reset) on a device under construction.
Researchers can even report high-impact vulnerabilities in the Azure Sphere as part of the Microsoft Azure bounty program, with the best reports being nominated for prizes of up to $ 40.000.
Microsoft announced in August that it had awarded $ 13,7 million to researchers who reported vulnerabilities over the past 12 months through 15 bug bounty programs, between July 1, 2019 and June 30, 2020. In 2020 alone, the company ran six new bug bounty programs and two new research grants, receiving 1.226 vulnerability reports from 327 security researchers. Finally, Microsoft also joined Open Source Security Foundation (OpenSSF) as a founding member in August, along with GitHub, Google, IBM, JPMC, NCC Group, OWASP Foundation and Red Hat.