Secure research starts with responsible testing.
Microsoft Azure DevOps Bounty Program
Partner with Microsoft to strengthen our products and services by identifying and reporting security vulnerabilities that could impact our customers.
IMPORTANT: The Microsoft Bounty Program is subject to these terms and those outlined in the Microsoft Bounty Terms and Conditions, Microsoft Bounty Legal Safe Harbor, Rules of Engagement, Coordinated Vulnerability Disclosure (CVD), Bounty Program Guidelines, and the Microsoft Bounty Program page.
PROGRAM DESCRIPTION
Azure DevOps Services It spans the breadth of the development lifecycle to help developers ship software faster and with higher quality. Azure DevOps Services is committed to providing rock-solid security, and as a part of that we believe in close partnerships with security researchers and our user community. We invite eligible researchers to identify security vulnerabilities in targeted Azure DevOps services and products and share them with our team. Qualified submissions are eligible for bounty awards from $1,250 to $20,000 USD. This includes third-party and open-source components included in the service. Please note that qualifying reports must demonstrate a qualifying security impact on the specified service.
ELIGIBLE SUBMISSIONS
The goal of the Microsoft Bug Bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers.
In addition to the eligibility requirements listed on the Bounty Program Guidelines page, vulnerability submissions must meet the following criteria to be eligible for bounty awards:
- Web application vulnerabilities must impact supported browsers for Azure DevOps services and Azure DevOps Server and/or plug-ins
- We request researchers include the following information to help us quickly assess their submission:
- Submit through the MSRC Researcher Portal.
Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.
SCOPE
Vulnerabilities submitted in the following Product(s) are eligible under this bounty program:
- Azure DevOps Services (formerly Visual Studio Team Services)
- The latest publicly available versions of Azure DevOps Server and Team Foundation Server
GETTING STARTED
Please follow the guidance below to create a test account for security testing and probing. Additionally, please follow the Research Rules of Engagement to avoid harm to customer data, privacy, and service availability. If in doubt, please contact bounty@microsoft.com.
In all cases, where possible, please include the string “MSOBB” in your account name and/or tenant name to identify it as being used for security research.
To learn about Azure DevOps, please see our documentation site.
Sign up for an Azure DevOps account or download a free trial of Azure DevOps Server.
AWARDS
Bounty awards range from $1,250 up to $20,000. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. If a single submission is eligible for multiple awards, the submission will be awarded the single highest qualifying award.
Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgement if their submission leads to a vulnerability fix; they may also earn points in our Researcher Recognition Program to receive swag and secure a place on the Microsoft Most Valuable Researcher list.
GENERAL AWARDS
| Severity (all amounts in USD) | |||||
|---|---|---|---|---|---|
| Security Impact | Report Quality | Critical | Important | Moderate | Low |
| Remote Code Execution | High Medium Low | $20,000 $15,000 $10,000 | $15,000 $10,000 $6,000 | $0 | $0 |
| Elevation of Privilege | High Medium Low | $12,000 $8,000 $4,000 | $6,000 $4,000 $2,000 | $0 | $0 |
| Information Disclosure | High Medium Low | $12,000 $8,000 $4,000 | $6,000 $4,000 $2,000 | $0 | $0 |
| Spoofing | High Medium Low | $8,000 $5,000 $2,500 | $4,000 $2,500 $1,250 | $0 | $0 |
| Tampering | High Medium Low | $8,000 $5,000 $2,500 | $4,000 $2,500 $1,250 | $0 | $0 |
| Denial of Service | High/Low | Out of Scope | |||
We recognize some issues are extremely difficult to reproduce and will take this into consideration when assessing the quality of a submission. Sample high- and low-quality reports are available here.
OUT-OF-SCOPE SUBMISSIONS AND VULNERABILITIES
Microsoft is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty award.
If your submission is evaluated as out-of-scope for this individual bounty program, it may still qualify for an award under the Standard Award Policy.
Here are some of the common low-severity or out-of-scope issues that typically do not earn bounty awards:
- Publicly-disclosed vulnerabilities which have already been reported to Microsoft, or are already known by the wider security community (refer to the Azure DevOps Developer Community as an additional resource)
- Vulnerabilities in any version other than Public Preview and RC releases of Azure DevOps and Azure DevOps Server
- Vulnerabilities that are addressed via product documentation updates, without change to product code or function
- Vulnerabilities based on user configuration or action, for example:
- Vulnerabilities based on user-generated content
- Vulnerabilities requiring extensive or unlikely user actions
- Security misconfiguration of a service by a user, such as the enabling of HTTP access on a storage account to allow for man-in-the-middle (MiTM) attacks
- Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
- Vulnerabilities based on third parties that do not demonstrate a qualifying security impact on the specified service, for example:
- Vulnerabilities in third-party software provided by Azure, such as gallery images and ISV applications
- Vulnerabilities in third-party extensions not included by default
- Vulnerabilities in platform technologies that are not unique to Azure DevOps and Azure DevOps Server (for example, IIS, OpenSSL, etc.)
- Vulnerabilities based on third parties that do not demonstrate a qualifying security impact on the specified service
- Out-of-scope vulnerability types, including:
- Server-side information disclosure
- Sub-Domain Takeovers
- Denial-of-service (DoS) attacks of any kind, including but not limited to volumetric, protocol, and application-layer attacks. Cookie replay vulnerabilities
- Vulnerabilities used to enumerate or confirm the existence of users or tenants
- Vulnerability patterns or categories for which Microsoft is actively investigating broad mitigations. As of June 2023, for example, these include, without limitation:
- Dependency Confusion issues
- Training, documentation, samples, and community forum sites related to Azure DevOps Bounty Program products and services are out-of-scope for bounty awards
Microsoft reserves the right to reject any submission that we determine, at our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty.
ADDITIONAL INFORMATION
For additional information please see our FAQ.
REVISION HISTORY
- January 17, 2019: Program launched.
- February 24, 2022: Added clarification that vulnerabilities addressed via product documentation updates are out of scope.
- June 01, 2023: Added Dependency Confusion issues to Out-of-Scope.
- May 13, 2025: Updated Research Rules of Engagement section.
- December 11, 2025: Updated hyperlinks and standardized language.