Microsoft, Apple Level Up Bounties

Microsoft and Apple have both leveled up their bug bounty programs with new incentives for security researchers.
Microsoft has doubled the top bounty reward for vulnerabilities in its Azure cloud software to $40,000. It also introduced a hacker environment called the Azure Security Lab, which is a cloud infrastructure dedicated to letting cybersecurity researchers test out their skills in an IaaS environment.

Hackers don’t get to color outside the lines. Instead, the Lab includes a series of scenario-based challenges that they can follow to try and exploit the system. They can earn up to $300,000 if they succeed, according to Microsoft’s blog post announcing the Lab.

Hackers wanting access to the Azure Security Lab must request a Windows or Linux VM.

Apple is also reportedly fleshing out its existing bounty program in two ways. Forbes reports that the company will announce plans to give security researchers developer versions of its iPhone, featuring access to the underlying software and hardware that normal users don’t get. These phones, which will be available only to existing participants in Apple’s invitation-only bug bounty program, will let them inspect system memory, for example.

Apple will also unveil a bug bounty program for its macOS operating system, according to the report. This could mean that researchers like Linus Henze, who discovered a bug in the Mac operating system’s keychain password manager earlier this year, will finally get paid. The teenager had originally planned not to privately disclose the bug to Apple because it hadn’t been paying for macOS bugs.

An announcement at Black Hat 2019 this week would mark the third anniversary of Apple’s original bug bounty program, in which it promised to pay up to $200,000 for the best reported security flaws.

This post was originally published by Infosecurity Magazine on

Related posts