The Azure Sphere Security Research Challenge is an expansion of Azure Security Lab, announced at Black Hat in August 2019. At that time, a select group of talented researchers was invited to come and do their worst, emulating criminal hackers in a customer-safe cloud environment.
This new research challenge aims to spark new high impact security research in Azure Sphere, a comprehensive IoT security solution delivering end to end security across hardware, OS and the cloud. While Azure Sphere implements security upfront and by default, Microsoft recognizes security is not a one-and-done event. Risks need to be mitigated consistently over the lifetime of a constantly growing array of devices and services. Engaging the security research community to research for high-impact vulnerabilities before the bad guys do is part of the holistic approach Azure Sphere is taking to minimize the risk.
This new research challenge is a three-month, application-only security research challenge offering special bounty awards and providing additional research resources to program participants.
To apply for this research program, submit the application form before May 15, 2020. Applications will be reviewed on a weekly basis and accepted researchers will be notified via email. This research challenge runs from June 1, 2020 through August 31, 2020 for researchers accepted through open application.
We will award up to $100,000 bounty for specific scenarios in the Azure Sphere Security Research Challenge during the program period. To learn more about the Azure Sphere architecture, terminology, and everything you need to get started with the research scenarios, visit Azure Sphere Documentation.
Two key scenarios are below, and additional research scenarios, awards and program resources can be found in Azure Security Lab program page.
|Ability to execute code on Pluton
|Ability to execute code on Secure World
This research challenge is focused on the Azure Sphere OS. Vulnerabilities found outside the research initiative scope, including the Cloud portion, may be eligible for the public Azure Bounty Program awards. Physical attacks are out of scope for this research challenge and the public Azure Bounty Program.
The Azure Sphere Security Research Challenge provides resources to support research, including:
- Azure Sphere development kit (DevKit)
- Access to Microsoft products and services for research purposes
- Azure Sphere product documentation
- Direct communication channels with the Microsoft team
The security landscape is constantly changing with emerging technology and security threats. Keeping Azure exceptionally secure for our customers is a top priority. By expanding the Azure Security Lab, we’re providing more content and resources to better arm security researchers with the tools needed to research high-impact vulnerabilities in the cloud.
Microsoft works hard to secure our cloud and software and the help of security researchers amplifies our ability to continually increase security. By discovering and reporting vulnerabilities to Microsoft through Coordinated Vulnerability Disclosure (CVD), security researchers have helped us continue to secure millions of customers.
Additionally, our partnership with the global security community is key to keeping our customers secure. We appreciate the collaboration in this research initiative with our key industry partners, and strongly believe that expanding the Azure Security Lab will help to continue to protect our cloud and Azure Sphere.
The Azure Sphere Security Research Challenge partnership brings Microsoft together with Avira, Baidu International Technology, Bitdefender, Bugcrowd, Cisco Systems Inc (Talos), ESET, FireEye, F-Secure Corporation, HackerOne, K7 Computing, McAfee, Palo Alto Networks and Zscaler, who all bring expertise in IoT security research. This kind of collaboration compliments Microsoft’s internal work to secure the ecosystem, as digital transformation leads more and more customers to the cloud, where connected IoT devices must be secured.
Sylvie Liu, Security Program Manager, Microsoft Security Response Center