Azure Security Lab: Bug Bounties as a Service?
Beaty Consultancy is regarded within the industry as the guys with the tin hats. We are security nuts. With this time of year seeing lots of security conferences around the word, we get super excited for new services to help aid everyone’s security posture. So when Microsoft announced Azure Security Lab, we did a little happy dance!
What is a bug bounty?
It’s the cyber-security equivalent of a bounty hunters of the old west, rounding up fugitives in exchange for money. Instead of fugitives, bug bounty hunters are researching and exploiting software bugs. When a bug is found, the bug bounty hunter will responsibly disclose the finding to the software vendor, and be paid their bounty.
After the software vendor is able to reproduce the bug, it is customary for there to be a 90 day period of time before the bounty hunter is able to publicise their findings. Professional hackers are a competitive bunch, and usually enjoy the plaudits from their peers for crafting well engineered software exploits. Software vendors need time to fix their products. And the industry needs secure systems. So 90 days feels like a good amount of time to keep everyone happy.
Zero-day
The alternative to a cyber security threat being discovered by a bug bounty hunter is for a malicious hacker to find the bug and use it for bad. When this happens, we call it a zero-day attack, because nobody has seen this particular attack in the past. Zero-day attacks are bad!
For this reason, the bounties being offered by software vendors have to be very attractive. Bounties can be hundreds of thousands of dollars or more! Imagine finding a bug which allowed you to steal credit card information from everyone’s computer running a particular software package. If you were so inclined, you could make a lot of money from that, and for that reason, bug bounties need to be an attractive alternative.
So what is Azure Security Lab?
Azure Security Lab is a new service within Microsoft’s public cloud offering which encourages these types of hackers to compromise Microsoft’s systems within a controlled environment. Not any old charlie can rock up and start hacking the Azure platform though; this is an invite-only service. So if there’s anyone at Microsoft reading this… can we have a go??
But seriously, Microsoft are being pretty bullish about their new service, asking hackers to “confidently and aggressively test Azure”. We should all applaud Microsoft for their efforts, and for keeping our clouds more secure because of them. And what’s in it for the bug bounty hunters? A jackpot payout of $400,000.
Microsoft promises that the Azure Security Lab environment will be completely separate to anything production, which is good to know.
You can find out more about Azure Security Lab at Microsoft’s news page, but bizzarely, you’ll need to speak Russian to understand it (or use you browser’s built in translator if you’re not up for learning a new language). And you can read more security news from Beaty Consultancy here.