Microsoft Azure DevOps Bounty Program
PROGRAM DESCRIPTION:
Azure DevOps Services is a cloud service for collaborating on code development. It spans the breadth of the development lifecycle to help developers ship software faster and with higher quality. Azure DevOps Services is committed to providing rock-solid security, and as a part of that we believe in close partnerships with security researchers and our user community. We invite eligible researchers to identify security vulnerabilities in targeted Azure DevOps services and products and share them with our team. Qualified submissions are eligible for bounty rewards of $500 to $20,000 USD.
This bounty program is subject to these terms and those outlined in the Microsoft Bounty Terms and Conditions.
IN-SCOPE SERVICES AND PRODUCTS:
- Azure DevOps Services (formerly Visual Studio Team Services)
- The latest publicly available versions of Azure DevOps Server and Team Foundation Server
WHAT CONSTITUTES AN ELIGIBLE SUBMISSION?
The goal of the Microsoft Bug Bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our customers. Vulnerability submissions must meet the following criteria to be eligible for bounty award:
- Identify a previously unreported vulnerability in one of the in-scope services or products
- Web application vulnerabilities must impact supported browsers for Azure DevOps services and Azure DevOps Server and/or plug-ins
- Include clear, concise, and reproducible steps, either in writing or in video format
- Provide our engineers the information necessary to quickly reproduce, understand, and fix the issue. This allows submissions to be processed as quickly as possible and supports the higher bounty awards
Microsoft may reject any submission that it determines (in its sole discretion) does not meet these criteria.
GETTING STARTED
To learn about Azure DevOps, please see our documentation site.
Sign up for an Azure DevOps account or download a free trial of Azure DevOps Server.
HOW ARE AWARD AMOUNTS SET?
Bounty awards range from $500 up to $20,000. Bounties will be awarded at Microsoft’s sole discretion based on the severity and impact of the vulnerability and the quality of the submission. Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgment if their submission leads to a vulnerability fix.
Security Impact | Report Quality | Severity | |||
---|---|---|---|---|---|
Critical
|
Important
|
Moderate
|
Low
|
||
Remote Code Execution |
High Medium Low |
$20,000 $15,000 $10,000 |
$15,000 $10,000 $5,000 |
$0
|
$0
|
Elevation of Privilege |
High Medium Low |
$ 8,000 $ 4,000 $ 3,000 |
$5,000 $2,000 $1,000 |
$0
|
$0
|
Information Disclosure |
High Medium Low |
$ 8,000 $ 4,000 $ 3,000 |
$5,000 $2,000 $1,000 |
$0
|
$0
|
Spoofing |
High Medium Low |
N/A
|
$3,000 $1,200 $500 |
$0
|
$0
|
Tampering |
High Medium Low |
N/A
|
$3,000 $1,200 $500 |
$0
|
$0
|
Denial of Service |
High/Low
|
Out of Scope
|
N/A: vulnerabilities resulting in the listed security impact do not qualify for this severity category
A high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write up or video containing any required background information, a description of the bug, and a proof of concept (PoC). Sample high- and low-quality reports are available here.
We recognize some issues are extremely difficult to reproduce and understand and will take this into consideration when assessing the quality of a submission.
IN-SCOPE VULNERABILITIES
The following are examples of vulnerabilities that may lead to one or more of the above security impacts:
- Cross site scripting (XSS)
- Cross site request forgery (CSRF)
- Cross-tenant data tampering or access
- Insecure direct object references
- Insecure deserialization
- Injection vulnerabilities
- Server-side code execution
- Significant security misconfiguration (when not caused by user)
- Using component with known vulnerabilities
- Requires full proof of concept (PoC) of exploitability. For example, simply identifying an out of date library would not qualify for an award
- Unauthorized cross-tenant data tampering or access
WHAT ARE THE RULES GOVERNING THE TESTING OF BOUNTY-ELIGIBLE MICROSOFT ONLINE SERVICES?
The fMicrosoft Azure DevOps Bounty program's scope is limited to technical vulnerabilities in Azure DevOps related products and services. The following are not permitted:
- Any kind of Denial of Service testing.
- Performing automated testing of services that generates significant amounts of traffic.
- Gaining access to any data that is not wholly your own. For example, you are allowed and encouraged to create a small number of test accounts and/or trial tenants for the purpose of demonstrating and proving cross-account or cross-tenant data access. However, it is prohibited to use one of these accounts to access the data of a legitimate customer or account.
- Moving beyond “proof of concept” repro steps for server-side execution issues (e.g proving that you have sysadmin access with SQLi is acceptable, running xp_cmdshell is not).
- Attempting phishing or other social engineering attacks against others, including our employees. The scope of this program is limited to technical vulnerabilities in specified products and services.
- Using our services in a way that violates the terms for that service.
Even with these prohibitions, Microsoft reserves the right to respond to any actions on its networks that appear to be malicious.
OUT OF SCOPE VULNERABILITIES
Microsoft is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty reward. Here are some of the common low-severity or out of scope issues that typically do not earn bounty rewards:
- Publicly-disclosed vulnerabilities which have already been reported to Microsoft, or are already known by the wider security community (refer to the Azure DevOps Developer Community as an additional resource)
- Vulnerabilities in any version other than Public Preview and RC releases of Azure DevOps and Azure DevOps Server
- Vulnerabilities that are addressed via product documentation updates, without change to product code or function.
- Vulnerabilities based on user configuration or action, for example:
- Vulnerabilities based on user-generated content
- Vulnerabilities requiring extensive or unlikely user actions
- Security misconfiguration of a service by a user, such as the enabling of HTTP access on a storage account to allow for man-in-the-middle (MiTM) attacks.
- Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
- Vulnerabilities based on third parties, for example:
- Vulnerabilities in third-party software provided by Azure such as gallery images and ISV applications
- Vulnerabilities in third-party extensions
- Vulnerabilities in platform technologies that are not unique to Azure DevOps and Azure DevOps Server (for example IIS, OpenSSL etc.)
- Out of scope vulnerability types, including:
- Server-side information disclosure
- Sub-Domain Takeovers
- Denial of service (DoS) attacks
- Cookie replay vulnerabilities
- Vulnerabilities used to enumerate or confirm the existence of users or tenants
- Vulnerabilities in other Microsoft Products, for example:
- Vulnerabilities in Hyper-V such as virtual machine escapes. These submissions may be eligible for a bounty through the Mitigation Bypass Bounty program or the Hyper-V Bounty program.
- Please see the full list of Bounty Programs for other bounty eligible Microsoft products and services.
- Vulnerability patterns or categories for which Microsoft is actively investigating broad mitigations. As of June 2023, for example, these include, without limitation:
- Dependency Confusion issues
Microsoft may reject any submission that it determines (in its sole discretion) falls into any of these categories even if otherwise eligible for bounty.
BOUNTY AWARDS
- Microsoft retains sole discretion in determining award amounts and which submissions eligible and in scope.
- There are no restrictions on the number of qualified submissions an individual submitter may provide or number of awards a submitter may receive.
- If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission.
- If a duplicate report provides us new information that was previously unknown to Microsoft, we may award a differential to the duplicate submission.
- If a submission is potentially eligible for multiple bounty programs, you will receive single highest payout award from a single bounty program
ADDITIONAL INFORMATION
For additional information please see our FAQ.
REVISION HISTORY
- January 17, 2019: Program launched.
- February 24, 2022: Added clarification that vulnerabilities addressed via product documentation updates are out of scope.
- June 01, 2023: Added Dependency Confusion issues to Out-of-Scope.