- Microsoft is doubling its top bug bounty award for Azure to $40,000, according to a company announcement Monday.
- In order for researchers to more "aggressively' pursue faults in Azure, Microsoft called on specific individuals to "do their worst" in emulating malicious actors. The exercises are carried out in the Azure Security Lab, a "customer-safe cloud environment."
- The Azure Security Lab isolates research so individuals can look for vulnerabilities and exploit them. Scenario-based challenges elicit awards reaching $300,000.
Bug bounty programs are meant to fill the gaps in cybersecurity organizations. More than 60% of businesses struggle finding adequate cybersecurity talent.
A lack of role standardization and narrow job descriptions hinder companies' abilities to round out their security teams.
In addition to supplementing talent or making up for where it's lacking, bug bounty programs allow companies to use outside knowledge of white hat hackers to find flaws.
As Microsoft puts it, "we work hard to earn your trust in the cloud, but we don't do it alone."
Companies that can't hire people that think like hackers rely on bug bounty programs to outsource those skills.
Companies with broad attack services, like Verizon, with several brands existing under the parent company, use bug bounty programs to supplement their security red teams. Verizon-owned Yahoo started a public program in 2013, allowing essentially anyone on the internet to participate.
Verizon Media, however, operates like Microsoft's Azure Security Lab, with invitation-only programs.
Google's attack surface stretches across the search engine, YouTube, Google Cloud, applications and hardware devices. They are all eligible web services in its bug bounty program.
Participants can make more than $31,000 for finding a remote execution vulnerability, like command injection, deserialization bugs and sandbox escapes.
Bug bounty programs, however, are not without risk. Participants, whether researchers or hackers, have the potential to gaslight a company.
If hackers find a vulnerability severe enough, it could jeopardize customers' impression of the company's security standards.
But as for attracting truly bad actors to a bug bounty program, the odds are slim. Most programs have limitations on data access rights.