Microsoft Offers $100,000 Bounty To Hack Its Custom Azure Sphere Linux OS

Azure Sphere Code
Think you have what it takes to thwart the security mechanisms in Azure Sphere, a comprehensive security solution Microsoft developed for the Internet of Things (IoT) category? Those who do could potentially collect up to a $100,000 bug bounty. That's some serious cash, and it applies to two specific type of hacks.

The bug bounties are part of a three-month research challenge, in which accepted applicants are invited to look for flaws in Microsoft's Azure Sphere platform. To qualify for the maximum award amount, a security researcher would need to demonstrate an ability to execute unauthorized code on either Pluton or Secure World.

"While Azure Sphere implements security upfront and by default, Microsoft recognizes security is not a one-and-done event. Risks need to be mitigated consistently over the lifetime of a constantly growing array of devices and services. Engaging the security research community to research for high-impact vulnerabilities before the bad guys do is part of the holistic approach Azure Sphere is taking to minimize the risk," Microsoft says.

The security challenge runs from June 1st through August 31st of this year. Anyone who wishes to participate is required to submit an application before May 15. Microsoft says it will review applications on a weekly basis, and those who get accepted will be notified by email.

Not every type of security flaw will net the maximum payout. The challenged is focused specifically on Azure Sphere OS, which is based on a custom Linux kernel. Should a researcher find a vulnerability outside the scope of the challenge, they might be able to collect a separate bounty as part of Microsoft's public Azure Bounty Program. Those awards typically range from $500 to $40,000.

"Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgment if their submission leads to a vulnerability fix," Microsoft explains.

Microsoft first previewed its Azure Sphere platform a little over two years ago at RSA 2018. It was developed in response to the growing IoT trend and the need for better security. As Microsoft pointed out at the time, the 2016 Mirai botnet attack leveraged 100,000 compromised IoT devices and "effectively knocked the US East Coast off the internet for a day."

Since then, the market for IoT devices has only grown, and will continue to do so. In addition to providing much needed security, Azure Sphere is a way for Microsoft to extend its reach beyond Windows, and into these everyday devices.