It is my pleasure to announce another exciting expansion of the Microsoft Bounty Programs. Today, we are adding a security bug bounty program for Azure DevOps in partnership with the Microsoft Security Response Center (MSRC) to our suite of Bounty programs.
Our Bounty program rewards independent security researchers who find flaws and report them to us responsibly. We’ll publicly recognize the researchers who report these security issues, and for high-severity bugs we’ll present payments of up to $20,000 USD.
These rewards help motivate researchers to find security vulnerabilities in our services and let us correct them before they’re exploited by attackers. You can find the details of our Bug Bounty program with MSRC.
Security has always been a passion of mine, and I see this program as a natural complement to our existing security framework. We’ll continue to employ careful code reviews and examine the security of our infrastructure. We’ll still run our security scanning and monitoring tools. And we’ll keep assembling a red team on a regular basis to attack our own systems to identify weaknesses.
If you’re interested in the way our team approaches security and how we continue to evolve our thinking and practices, then I’d encourage you to watch the video of my talk “Mindset shift to a DevSecOps culture.”
This program will help us provide the highest level of security for our customers, protect customer data, and ensure the availability of Azure DevOps. I’m looking forward to seeing what we learn from working more closely with the security community.