There was a time when Microsoft was suing hardware vendors who were using Linux-based systems for patent violation, and when its subsidiaries were going after Linux OS makers and even users - but all that seems to be far behind now. The software giant is so confident about the security of its own custom Linux OS, the Azure Sphere OS, that it has set a bounty for anyone who can hack it in the next three months. For this, they have opened up the “Azure Sphere Security Research Challenge,” and they are now accepting applicants.
One of the two key scenarios is to demonstrate the capacity to execute code on “Pluton,” the other is to show the ability to execute code on “Secure World” - rewarded with $100,000 each. Microsoft Pluton is the Azure Sphere’s security subsystem, part of the secured boot process, and the system that is responsible for activating various software components, providing runtime services, processing requests, etc. The Secure World is a container-based operating environment that only accepts the Microsoft-supplied code. It is meant to provide security by limiting access to external resources, allowing certain application and device capabilities, and enforcing a strict signature policy.
So, running code there won’t be a walk in the park for even the most talented hackers out there, and this is precisely why the bounty is set so high. If you are confident that you can do it, you are invited to apply for the challenge through this MS form page. Just make sure to do it before May 15, 2020, when the application window closes. If you are accepted, you will receive an email containing instructions on what to do next, as well as links to access the required resources. Additionally, you may send an email to “[email protected]” for any questions that the Microsoft Security Response Center agents could answer. The program will run between June 1 and August 31, 2020.
Microsoft wants the Sphere OS to become a state of the art, secure, high-level, and real-time capable applications platform for the IoT space. It is the company’s first-ever Linux-kernel-based operating system developed for external clients. The system became publicly available about two months ago, but there’s still some work left to ensure the robustness of the cloud-based security service (AS3). For this purpose, Microsoft is already collaborating with HackerOne, McAfee, Palo Alto Networks, ESET, FireEye, F-Secure, Bitdefender, Avira, Baidu, and Cisco Systems, so the announcement of the upcoming bug bounty program comes as a complementary effort.