Microsoft has paid cybersecurity researchers $ 374,300 in competition Azure Sphere Security Research Challengewhich lasted three months. In total, the experts managed to find 20 important vulnerabilities. Bugs have been fixed with the release of the 20.07, 20.08 and 20.09 updates.
In total, 70 researchers from 21 countries of the world took part in the competition. They submitted 40 reports to the company, 30 of which led to the release of patches, and 16 of which received bug bounty payments (a total of $ 374,300). The largest consideration paid was US $ 48,000 and the smallest US $ 3,300.
As part of the study, Microsoft invited the world's leading cybersecurity experts and security vendors to try to compromise the company's products using the types of attacks most commonly used by cybercriminals. The contestants were provided with a development kit, direct communication with the OS security team, email support, and publicly available operating system kernel code.
The goal of the competition was to focus researchers' attention on what has the greatest impact on customer safety. Therefore, the experts were given six research scenarios with up to 20% additional reward on top of the standard Azure Bounty reward (up to $ 40,000), as well as $ 100,000 for two high priority scenarios.
The study was conducted in partnership with Avira, Baidu International Technology, Bitdefender, Bugcrowd, Cisco Systems Inc (Talos), ESET, FireEye, F-Secure Corporation, HackerOne, K7 Computing, McAfee, Palo Alto Networks, and Zscaler.
McAfee experts have already published detailed report about their research, which you can read in the company's blog. The researchers said they raised $ 160,000, which they plan to donate to charity. Thus, they managed to gain root access by combining six errors, three of which were deemed critical. Also, McAfee analysts have found a previously unknown vulnerability in the Linux kernel.
Your findings have already submitted and specialists from Cisco Talos. They identified over a dozen issues, including arbitrary code execution, denial of service (DoS), information disclosure, and privilege escalation.