PROGRAM DESCRIPTION 

Microsoft Azure is an ever-expanding set of cloud computing services to help organizations build, manage, and deploy applications on a massive, global network using their preferred tools and frameworks.  The Microsoft Azure Bounty Program invites researchers across the globe to identify vulnerabilities in Azure products and services and share them with our team. Qualified submissions are eligible for bounty rewards from $500 to $40,000 USD, and up to $300,000 USD for the Azure Security Lab challenge.

Bounties will be awarded at Microsoft’s discretion based on the severity and impact of the vulnerability and the quality of the submission, and subject to the Microsoft Bounty Terms and Conditions.  

IN-SCOPE SERVICES AND PRODUCTS 

Most vulnerabilities submitted against Azure Products are eligible under this or a related Microsoft bounty program. Below is a selection of high priority Azure products, and a good place to get started.

High Priority Azure Products  

For an additional list of in-scope domains and information on out of scope products and vulnerability types please see the “in scope domains and endpoints” and  “out of scope” sections later on this page

Related Cloud Bounty Programs 

Submissions identifying vulnerabilities in Office 365, Microsoft Account, Azure DevOps, and other online services will be considered under our service-specific or product-specific cloud bounty programs, including the Online Services Bounty ProgramMicrosoft Identity Bounty ProgramAzure DevOps Bounty Program, or Microsoft Dynamics 365 Bounty Program.  All submissions are reviewed for bounty eligibility, so don’t worry if you aren’t sure where your submission fits. We will route your report to the appropriate program. 

GETTING STARTED 

Please create a test account and test tenants for security testing and probing. 

In all cases, where possible, please include the string “MSOBB” in your account name and/or tenant name to identify it as being used for security research. 

AZURE SECURITY LAB SCENARIO CHALLENGE 

The Azure Security Lab is a dedicated part of Azure reserved for registered researchers to explore and exploit vulnerabilities in ways that wouldn’t be practical on the standard cloud, and submit their findings to the Microsoft Bounty Program. For example, within the Azure Security Lab it is safe (and encouraged!) to find and exploit vulnerabilities for guest to host escape or denial of service.

Within the Azure Security Lab (registered researchers only)

We encourage researchers within the Azure Security Lab to explore the following high-value scenarios:

 

Scenario

Award

Virtual Machine (VM) Escape:

Demonstrate a functional exploit enabling an escape from a guest VM to the host

$300,000

Denial of Service (DoS) of the host: 

demonstrate a method of persistent denial of service to the Azure host

$50,000

We have a limited number of hosts available in the Azure Security Lab, so access is by application only. Learn more about the guidelines for using this research area and to sign up here for exclusive use of a host and research VM for a 30-day period. Azure Security Lab scenario awards are only offered for the exploit scenarios above and must be performed within the Azure Security Lab. All other vulnerabilities found within the lab or outside the lab are eligible for the public Azure Bounty awards.

Targeting the Azure Security Lab externally (open to all)

We invite all researchers to explore the following high-value scenarios:

Scenario

Award

Elevation of Privilege:

Obtain administrative access to the Azure Security Lab subscription*

$300,000

* Subscription ID is 70556a62-c57e-4f91-95e9-3e856f99e3cd. Eligible submissions must include steps to reproduce your findings

HOW ARE AWARD AMOUNTS SET?  

Bounty awards range from $500 up to $40,000, and up to $300,000 for scenarios in the Azure Security Lab . Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgment if their submission leads to a vulnerability fix. 

Security Impact

Report Quality

Severity

Critical

Important

Moderate

Low

Remote Code Execution

High

Medium

Low

$40,000

$20,000

$10,000

$30,000

$20,000

$10,000

$0

$0

Elevation of Privilege

High

Medium

Low

$40,000

$30,000

$20,000

$10,000

$4,000

$2,000

$0

$0

Information Disclosure

High

Medium

Low

$12,000

$6,000

$4,500

$7,500

$3,000

$1,500

$0

$0

Spoofing

High

Medium

Low

N/A

$3,000

$1,200

$500

$0

$0

Tampering

High

Medium

Low

N/A

$3,000

$1,200

$500

$0

$0

Denial of Service

High/Low

Out of Scope

N/A: vulnerabilities resulting in the listed security impact do not qualify for this severity category. 

A high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write up or video containing any required background information, a description of the bug, and an attached proof of concept (PoC). Sample high- and low-quality reports are available here.   

 

We recognize that some issues are extremely difficult to reproduce and understand, and this will be considered when assessing the quality of a submission. 

IN SCOPE VULNERABILITIES  

The following are examples of vulnerabilities that may lead to one or more of the above security impacts:  

  • Cross site scripting (XSS)  
  • Cross site request forgery (CSRF)  
  • Cross-tenant data tampering or access  
  • Insecure direct object references  
  • Insecure deserialization  
  • Injection vulnerabilities  
  • Server-side code execution  
  • Significant security misconfiguration (when not caused by user)  
  • Using component with known vulnerabilities  

IN-SCOPE DOMAINS AND ENDPOINTS 

The following domains and endpoints are eligible for bug bounty awards. Subdomains of in-scope domains are also considered in-scope. Testing for vulnerabilities should only be performed on tenants in subscriptions/accounts owned by the program participant.  

Please check “WHOIS” records for all resolved IPs prior to testing to verify ownership by Microsoft. Some third parties host sites for Microsoft under subdomains owned by Microsoft, and these third parties are not in scope for this bug bounty program. 

<Tenant> refers to a tenant in a subscription that you own – please do not run tests against any other tenants. 

Azure endpoints 
  • portal.azure.com 
  • manage.windowsazure.com 
  • azure.microsoft.com/blog 
  • tip.passwordreset.microsoftonline.com (Identity Program
  • syncfabric.windowsazure.com 
  • management.azure.com 
  • reportingservice.activedirectory.windowsazure.com 
  • admin.microsoft.com 
  • graph.microsoft.com 
  • enterpriseregistration.windows.net 
  • management.core.windows.net 
  • graph.windows.net 
  • adminwebservice.microsoftonline.com 
  • provisioningapi.microsoftonline.com 
  • <Tenant>.scm.azurewebsites.net (excluding user-generated content) 
  • <Tenant>.ftp.azurewebsites.net (excluding user-generated content) 
  • <Tenant>.vault.azure.net (excluding user-generated content) 
  • <Tenant>.azure-mobile.net (excluding user-generated content) 
  • <Tenant>.batch.core.windows.net (excluding user-generated content) 
  • <Tenant>.batchapps.core.windows.net (excluding user-generated content) 
  • <Tenant>.trafficmanager.net (excluding user-generated content) 
  • <Tenant>.media.windows.net (excluding user-generated content) 
  • <Tenant>.task.core.windows.net (excluding user-generated content) 
  • <Tenant>.watask.core.windows.net (excluding user-generated content) 
  • <Tenant>.workflow.windows.net (excluding user-generated content) 
  • <Tenant>.biztalk.windows.net (excluding user-generated content) 
  • <Tenant>.servicebus.windows.net (excluding user-generated content) 
  • <Tenant>.blob.core.windows.net (excluding user-generated content) 
  • <Tenant>.table.core.windows.net (excluding user-generated content) 
  • <Tenant>.queue.core.windows.net (excluding user-generated content) 
  • <Tenant>.files.core.windows.net (excluding user-generated content) 

WHAT CONSTITUTES AN ELIGIBLE SUBMISSION? 

The goal of the Microsoft Bug Bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our customers. Vulnerability submissions must meet the following criteria to be eligible for bounty awards: 

  • Identify a previously unreported vulnerability in one of the in-scope services or products 
  • Include clear, concise, and reproducible steps, either in writing or in video format to help our engineers to quickly reproduce, understand, and fix the issue.  
  • This allows submissions to be processed as quickly as possible and supports higher bounty awards. 

 Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria. 

WHAT ARE THE RULES GOVERNING THE TESTING OF BOUNTY-ELIGIBLE MICROSOFT ONLINE SERVICES? 

The Azure Bounty program’s scope is limited to technical vulnerabilities in Azure-related products and services. Activities relying on social engineering or impacting the availability of Azure services are not permitted, including:

  • Any kind of Denial of Service testing outside the Azure Security Lab.
  • Performing automated testing of services that generates significant amounts of traffic. 
  • Gaining access to any data that is not wholly your own. For example, you are allowed and encouraged to create a small number of test accounts and/or trial tenants for the purpose of demonstrating and proving cross-account or cross-tenant data access. However, it is prohibited to use one of these accounts to access the data of a legitimate customer or account. 
  • Moving beyond “proof of concept” repro steps for server-side execution issues (e.g. proving that you have sysadmin access with SQLi is acceptable, running xp_cmdshell is not). 
  • Attempting phishing or other social engineering attacks against our employees. The scope of this program is limited to technical vulnerabilities in the specified Microsoft Online Services. 
  • Using our services in a way that violates the terms for that service. 

Even with these prohibitions, Microsoft reserves the right to respond to any actions on its networks that appear to be malicious. 

OUT OF SCOPE SUBMISSIONS AND VULNERABILITIES 

MSRC is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty reward. Here are some of the common low-severity or out of scope issues that typically do not earn bounty rewards:  

  • Publicly-disclosed vulnerabilities which have already been reported to Microsoft or are already known to the wider security community 
  • Out of scope vulnerabilty types, including:
    • Server-side information disclosure such as IPs, server names and most stack traces 
    • Low impact CSRF bugs (such as logoff) 
    • Denial of Service issues (except withint the Azure Security Lab)
    • Sub-Domain Takeovers 
    • Cookie replay vulnerabilities 
    • URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability) 
  • Vulnerabilities based on user configuration or action, for example: 
    • Vulnerabilities requiring extensive or unlikely user actions 
    • Vulnerabilities in user-created content or applications. 
    • Security misconfiguration of a service by a user, such as the enabling of HTTP access on a storage account to allow for man-in-the-middle (MiTM) attacks 
    • Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) 
    • Vulnerabilities used to enumerate or confirm the existence of users or tenants 
  • Vulnerabilities based on third parties, for example: 
    • Vulnerabilities in third party software provided by Azure such as gallery images and ISV applications 
    • Vulnerabilities in platform technologies that are not unique to the online services in question (for example, Apache or IIS vulnerabilities) 
  • Vulnerabilities in a web application that only affect unsupported browsers and plugins
  • Training, documentation, samples, and community forum sites related to Azure products and services are not in scope for bounty awards unless otherwise listed in "In-Sope Domains and Endpoints," for example:
    • azure.microsoft.com/en-us/services
    • docs.microsoft.com/en-us/azure
    • docs.microsoft.com/en-us/azure/*
    • docs.microsoft.com/en-us/cli/azure/*
    • github.com/Azure-Samples/
    • github.com/microsoft/iot-samples
    • azure.microsoft.com/en-us/resources/samples
    • feedback.azure.com/forums/*
       

We reserve the right to reject any submission that we determine, in our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty. 

HOW DO I PROVIDE MY REPORT? 

Send your complete submission to Microsoft using the MSRC submission portal and the bug submission guidelines. We request you follow the Coordinated Vulnerability Disclosure when reporting all vulnerabilities. We will exercise reasonable efforts to clarify indecipherable or incomplete submissions.     

Have questions? We're always available at secure@microsoft.com.

BOUNTY AWARDS 

Microsoft retains sole discretion in determining award amounts and which submissions eligible and in scope. 

  • There are no restrictions on the number of qualified submissions an individual submitter may provide or number of awards a submitter may receive. 
  • If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission.  
  • If a duplicate report provides us new information that was previously unknown to Microsoft, we may award a differential to the duplicate submission.   
  • If a submission is potentially eligible for multiple bounty programs, you will receive single highest payout award from a single bounty program.  

TERMS AND CONDITIONS 

For additional information on Microsoft bounty program requirements and legal guidelines please see our Bounty Terms and our FAQ

Am I eligibe for bounty if I find a vulnerability while pentesting Microsoft Azure?

It is your responsibility to comply with the Microsoft Cloud Unified Penetrtion Testing Rules of Engagement. To receive a bounty, an organization or individual must submit a report identifying a bounty eligible vulnerability to Microsoft using the MSRC submission portal and bug submission guidelines.

Thank you for participating in the Microsoft Bug Bounty Program! 

REVISION HISTORY 

  • September 2014: Program launched. 
  • April 2015: Program scope updated. 
  • August 2015: Program scope updated and bounty program name changed from Online Services to Cloud bounty program. 
  • July 17, 2018: identity related vulnerabilities moved into the Microsoft Identity Bounty Program. (https://www.microsoft.com/msrc/bounty-microsoft-identity) 
  • December 7, 2018: Updated program introduction, FAQ link, and added revision history section. 
  • January 17, 2019: Updated award ranges based on impact, severity, and report quality. Added in-scope summary. 
  • June 17, 2019: Azure bounty program separated from the Online Services Bounty Program, in scope Azure services highlighted, awards ranges increased. Training, documentation, sample, and community sites moved out of scope. Updated pentesting guidance.
  • August 29, 2019: Clarified Azure Security Lab scenarios. Added “persistent” to the DoS scenario, and removed  “to another guest VM” from the VM escape scenario.