Azure Security Lab: a new space for Azure research and collaboration

By MSRC Team  on 5 August 2019

Azure is exceptionally secure.  To help keep it that way, we are doubling the top bounty reward for Azure vulnerabilities to $40,000.  But we aren’t stopping there.

To make it easier for security researchers to confidently and aggressively test Azure, we are inviting a select group of talented individuals to come and do their worst to emulate criminal hackers in a customer-safe cloud environment called the Azure Security Lab.

The Azure Security Lab is a set of dedicated cloud hosts for security researchers to test attacks against IaaS scenarios, and which is isolated from Azure customers. As well as offering a secure testing space, the lab program will enable participating researchers to engage directly with Microsoft Azure security experts. Accepted applicants will have access to quarterly campaigns for targeted scenarios with added incentives, as well as regular recognition and exclusive swag.

Applications to join the Azure Security Lab open today. To request a Windows or Linux VM, go to our request form.

The isolation of the Azure Security Lab allows us to offer something new: researchers can not only research vulnerabilities in Azure, they can attempt to exploit them. Those with access to the Azure Security Lab may attempt the scenario-based challenges with top awards of $300,000. For more details on the new and increased awards please see the Azure Bounty Program page.

To provide clarity to researchers as they work to identify and disclose potential vulnerabilities, today we are formalizing our two-decade commitment to the principle of Safe Harbor. These principles complement our current bounty program terms and help researchers ensure they receive recognition for their work.

Microsoft is committed to ensuring our cloud is secure from modern threats. We built Azure with security in mind from the beginning, and work to help customers secure their Azure cloud environment with products such as Azure Sentinel and Azure Security Center. And if a situation arises, our Cloud Defense Operations Center (CDOC) and security teams work around the clock to identify, analyze and respond to threats in real time.

We work hard to earn your trust in the cloud, but we don’t do it alone. Partnerships are core to our security strategy, and one of our key partners is the global community of security researchers. By identifying and reporting vulnerabilities to Microsoft through coordinated vulnerability disclosure, security researchers have repeatedly demonstrated that working together helps protect customers.  In appreciation of their efforts and the opportunity to mitigate issues before they are publicly known and used for harm, we’ve issued $4.4 million dollars in bounty rewards over the past 12 months.

We appreciate our security partners across the industry, and believe the new programs we’re announcing today will help further protect the Azure ecosystem.