Microsoft revealed the results of a bug-bounty effort directed at its Azure Sphere IoT platform, as the company gathered 40 submissions and paid 16 bounties.
The Azure Sphere is a relatively new player in the IoT ecosystem, and while Microsoft makes it, it uses a custom Linux kernel. Because it aims to be a secure environment to deploy and use IoT devices, it has to deal with the most significant issue the ecosystem faces today — security.
One way to secure the platform is to organize bug bounty programs and ask white-hat hackers to test and find any vulnerabilities that might lurk under the surface. It’s always good to work proactively in finding bugs and security issues than to allow hackers to find and exploit them in the wild.
“Over the course of the challenge, we received a total of 40 submissions, of which 30 led to improvements in our product,” says Microsoft. “Sixteen were bounty-eligible; adding up to a total of $374,300 in bounties awarded. The other 10 submissions identified known areas where potential risk is specifically mitigated in another part of the system—something often referred to in the field as ‘by design.’”
Because developers patch the vulnerabilities found through bug-bounties programs, it doesn’t mean the platform is now completely secure. As a case in point, a couple of months ago, security researchers from Cisco discovered multiple vulnerabilities in Microsoft’s Azure Sphere. That, too, happened through another program called the Azure Sphere Security Research Challenge.
The IoT ecosystem is booming right now and shows no sign of slowing down. Not even the pandemic slowed the deployment of new devices. If anything, it triggered a surge in IoT adoption because the market demanded it for remote working, thus creating unknown attack vectors for threat actors to explore.