Today, we are announcing the addition of Azure to the Microsoft Online Services Bug Bounty Program. Azure is excited to join Office 365 and others in rewarding and recognizing security researchers who help make our platform and services more secure by reporting vulnerabilities in a responsible way.
The security of the Azure cloud platform is paramount to Microsoft and we recognize the trust that customers place in us when hosting applications and storing data in Azure. We are committed to provide a secure cloud through:
- Adhering to the Security Development Lifecycle (SDL) that Microsoft itself created as part of its Trustworthy Computing initiative and is considered an industry-leading methodology for developing secure software
- Using the Operational Security Assurance (OSA) framework as a template for operational security which builds on the SDL and decades of experience Microsoft has had in delivering online services
- Conducting regular penetration tests against our services
- Leveraging a full-time Red Team to continuously assess and improve our security controls and procedures
- Many rigorous security and compliance accreditations to provide customers with third-party audited proof of cloud security
While we remain committed to providing significant resources towards making our platform secure, we also understand that security assessments are an important part of our customers’ application development and deployment. That is why we have long allowed customers to carry out authorized penetration testing on their own applications that are hosted in Azure.
With the addition of Azure to the Microsoft Online Services Bug Bounty Program, customers now have the ability to perform targeted security vulnerability assessments of the Azure platform itself. If issues are identified that meet the eligibility requirements, the finder can be rewarded for their work that helps makes Azure a more secure platform for all.
We would also like to extend a big ‘Thank you!’ to everyone in the community who has reported Microsoft Azure issues in the past, and are looking forward to rewarding your efforts in the future. In addition, we will be paying bounties for any submissions received since January 1, 2015 if the submission would have been eligible under the updated program.
Azure’s inclusion in the Online Services Bug Bounty program is just one of several expansions to our bounty programs being announced today – for more information check out the MSRC blog.
For more details about Azure’s investments in security, compliance and privacy, please visit the Microsoft Azure Trust Center. We will be continuing to update the Trust Center and this blog with more announcements, updates and content to meet the needs of the community going forward.
—David B. Cross