Microsoft is excited to announce the launch of a new, three-month security research challenge under the Azure Security Lab initiative. The Azure Server-Side Request Forgery (SSRF) Research Challenge invites security researchers to discover and share high impact SSRF vulnerabilities in Microsoft Azure. Qualified submissions are eligible for bounty rewards up to $60,000 USD, with additional awards for identifying innovative or novel attack patterns. Up for the challenge? Sign up for updates here.
Microsoft is committed to ensuring our cloud is secure from modern threats. Our Cyber Defense Operations Center (CDOC) and security teams work around the clock to identify, analyze and respond to threats in real time, and we work to help customers secure their Azure cloud environments with products such as Azure Sentinel and Azure Security Center. Partnerships with the global community of security researchers are an important part of our security strategy.
This Azure SSRF Research Challenge will run from August 19, 2021, through November 19, 2021, with SSRF research resources and the opportunity to collaborate with members of the Microsoft Cloud security team.
Scenarios and Bounty Awards
We will award up to 50% bonuses on top of the current Azure Bounty Program for specific scenarios in the Azure SSRF Challenge during the program period. To learn more about eligible research challenge scope and award amounts, please visit the Azure Security Lab page.
| Scenarios | Bonus Amount (up to) |
|---|---|
| Protocols other than HTTP (e.g., FTP bounce attack) | 50% |
| Stored SSRF (as analogous to stored XSS) | 50% |
| “Deep” SSRF Example: SSRF attacks that are only evident far into the state machine of the victim Example: SSRF manifesting beyond the direct exploitation of a UI/client-side feature exposed by the service to the users. | 50% |
| Multi-hop SSRF (i.e., more than one confused deputy) | 40% |
| SSRF in combination with CSRF | 30% |
| General SSRF Award | 10% |
Why Microsoft Partners with Security Researchers
The security landscape is constantly changing with emerging technology and security threats. Microsoft seeks to continually expand and improve how we partner with our researcher community to mitigate those threats. Through this challenge, we will gain further insight into not only how we can better protect Microsoft users against general SSRF vulnerabilities, but also partner with researchers to identify and award new and creative attack patterns.
If you have any questions about the Azure SSRF Research Challenge or general inquiries about any other security research incentive program, please email us at bounty@microsoft.com.
Madeline Eckert, Senior Program Manager, MSRC