Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon

Microsoft announces Azure DevOps bounty program

Save for later
  • 2 min read
  • 18 Jan 2019

article-image

Yesterday, the Microsoft Security Response Center (MSRC) announced the launch of the Azure DevOps Bounty program. This is a program launched to solidify the security provided to Azure DevOps customers. They are offering rewards up to US$20,000 if you can find eligible vulnerabilities in Azure DevOps online and Azure DevOps server.

The bounty rewards range from $500 to $20,000 US. The reward will depend on Microsoft’s discretion on the severity and impact of a vulnerability. It will also depend on the quality of the submission subject to their bounty terms and conditions. Products in focus of this program are Azure DevOps services which was previously known as Visual Studio Team Services and the latest versions of Azure DevOps Server and Team Foundation Server.

The goal of the program is to find any eligible vulnerabilities that may have a direct security impact on the customer base. For a submission to be eligible, it should fulfil the following criteria:

  • Identifying a previously unreported vulnerability in one of the services or products.
  • The web application vulnerabilities must impact supported browsers for Azure DevOps server, services, or plug-ins.
  • The submission should have documented steps that are clear and reproducible. It can be text or video.
  • Unlock access to the largest independent learning library in Tech for FREE!
    Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
    Renews at AU $24.99/month. Cancel anytime
  • Any necessary information to quickly reproduce and understand the issue can result in faster response and higher rewards.


Any submissions that Microsoft thinks are not eligible in this criteria may be rejected. You can send your submissions to secure@microsoft.com with the help of bug submission guidelines. Participants are requested to use the Coordinated Vulnerability Disclosure when reporting the vulnerabilities. Note that there are no restrictions on how many vulnerabilities you can report or the rewards for it. When there are multiple submissions, the first one will be chosen for the reward.

For more details about the eligible vulnerabilities and the Microsoft Azure DevOps bounty program, visit the Microsoft website.

8 ways Artificial Intelligence can improve DevOps

Azure DevOps outage root cause analysis starring greedy threads and rogue scale units

Microsoft open sources Trill, a streaming engine that employs algorithms to process “a trillion events per day”