Microsoft awards $374,300 in bug bounties to secure Azure Sphere

Microsoft has awarded $374,300 in bug bounties to security researchers who spotted bugs in Azure Sphere which itself offers high-end security for Cloud-connected Internet of Things (IoT) devices.

During the three-month Azure Sphere Security Research Challenge (ASSRC), cyber security researchers surfaced 20 critical or important severity security vulnerabilities in Azure Sphere.

The Azure Sphere Security Research Challenge brought together 70 researchers from 21 countries to help secure Azure Sphere customers and expand Microsoft’s partnerships with the global IoT security research community.

“Many of the vulnerabilities found during the research challenge were novel and high impact, and led to major security improvements for Azure Sphere in their 20.07, 20.08 and the latest 20.09 updates,” Microsoft said in a statement on Tuesday.

The updates were automatically pushed to Azure Sphere devices that are connected to the internet to help secure Azure Sphere customers.

Security researchers from McAfee ATR and Cisco Talos reported high-impact bugs in Azure Sphere, “especially a full attack chain developed by McAfee ATR that exposed a weakness in the cloud and multiple weaknesses on the device including a previously unknown Linux kernel vulnerability”.

Microsoft introduced two high-priority research scenarios focused on the core of the Azure Sphere OS with $100,000 awards, and six general scenarios focused on various levels of the Azure Sphere operating system (OS) with up to 20 per cent additional awards on top of the Azure Bounty Programme awards.

“We strongly believe that this challenge and upcoming expansions of the Azure Security Lab will help to continue to protect our cloud and Azure Sphere,” Microsoft said.

In April 2018, Microsoft announced Azure Sphere to better secure the 41.6 billion IoT devices expected to be connected to the Internet by 2025.

This year, Microsoft announced six new bug bounty programmes and two new research grants, receiving 1,226 eligible vulnerability reports from 327 security researchers.