News

Microsoft Pays Out $374,300 for Azure Sphere IoT Security Bounties

• By David Ramel
• 10/06/2020

Microsoft announced it paid out $374,300 in bounties to researchers as part of a program to further solidify its Azure Sphere IoT security solution.

That program, called the Azure Sphere Security Research Challenge, enlisted 70 researchers from 21 countries to improve Azure Sphere. They found 20 "critical" or "important" vulnerabilities, and the $374,300 in bounty awards were for 16 of those found to be eligible.

"Many of the vulnerabilities found during the research challenge were novel and high impact, and led to major security improvements for Azure Sphere," Microsoft said in an Oct. 6 blog post.

The highest bounty was $48,000, while the lowest was $3,300.

"Over the course of the challenge, we received a total of 40 submissions, of which 30 led to improvements in our product," Microsoft said in yet another Oct. 6 blog post. "Sixteen were bounty-eligible; adding up to a total of $374,300 in bounties awarded. The other 10 submissions identified known areas where potential risk is specifically mitigated in another part of the system -- something often referred to in the field as 'by design.'"

Three "general scenarios" for which disclosures were submmited include:

• Anything allowing execution of unsigned code that isn't pure return oriented programming (ROP) under Linux
• Anything allowing elevation of privilege outside of the capabilities described in the application manifest (e.g. changing user ID, adding access to a binary)
• Ability to modify software and configuration options (except full device reset) on a device in the manufacturing state DeviceComplete when claimed to a tenant you are not signed into and have no saved capabilities for

Microsoft singled out Cisco Talos and McAfee Advanced Threat Research (ATR) in particular for finding several important vulnerabilities

McAfee ATR published its own extensively detailed post about its efforts in the program.