The Microsoft Security Response Center (MSRC), a team that classifies, monitors, counters to and fixes security incidents and vulnerabilities in Microsoft software, has launched the Azure DevOps Bounty program to solidify the security offered to Azure DevOps customers. The team is offering rewards up to USD 20,000 if participants can detect eligible vulnerabilities in Azure DevOps online and Azure DevOps server.
The bounty program rewards range from USD 500 to USD 20,000 that will rely on Microsoft’s discretion on the severity and impact of the vulnerability. The program will also rely on the quality of the submission subject to their bounty terms and conditions. For this program, the products include Azure DevOps services that were earlier acknowledged as Visual Studio Team Services and the latest versions of Azure DevOps Server and Team Foundation Server. The primary purpose of this Azure DevOps Bounty program is to find out any eligible vulnerability which may impact directly to the customer base. For the eligible submission, it must meet such criteria includes recognizing an earlier unreported vulnerability in one of the services or products; the submission should have in documented ways that are clear and reproducible. So, it can be text or video; the web application vulnerabilities must impact supported browsers for Azure DevOps server, services, or plug-ins; any vital information to immediately reproduce and comprehend the issue can result in quicker response and higher rewards.
The vulnerability submission may be rejected by Microsoft if they think that submissions are not eligible to these criteria. Interested candidates can send their submissions to firstname.lastname@example.org with the help of bug submission guidelines. Even there are no limitations on how many vulnerabilities participants can report or the rewards for it. The first one will be chosen for the reward when there are multiple submissions.