Microsoft offers bug hunters $100K to hack its Linux smart home software

Researchers have three months to find problems in the software for net-connected devices like baby monitors and refrigerators.

Stephen Shankland Former Principal Writer
Stephen Shankland worked at CNET from 1998 to 2024 and wrote about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertise Processors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, science. Credentials
  • Shankland covered the tech industry for more than 25 years and was a science writer for five years before that. He has deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and more.
Stephen Shankland
2 min read
security image

The program is open to security researchers who apply by May 15.

James Martin/CNET

Microsoft wants Azure Sphere to be a really secure foundation for internet of things devices like webcams and garage doors, so it's offering researchers up to $100,000 to find a way to break into the technology. Azure Sphere combines an approved processor with Microsoft's own customized version of Linux called Sphere OS and a security service to detect problems and issue updates.

"We're providing more content and resources to better arm security researchers with the tools needed to research high-impact vulnerabilities in the cloud," said Sylvie Liu, a Microsoft security program manager, in a blog post this week. The program to find flaws in Azure Sphere OS is open to security researchers who apply by May 15, and those approved will get access to developer tools, Azure Sphere hardware and Microsoft researchers. They'll have until Aug. 31 to find problems.

Bug bounties are a common way for companies to attract hackers to find security problems a software maker might not find on its own. Google, for example, offers up to $150,000 to anyone who demonstrates a way to crack a Chromebook from a website, and Apple offers up to $1 million for the most serious attacks. The bounties also help find problems that might otherwise be sold to intelligence services or criminals wanting to break into computers.

Security vulnerabilities are a particular problem with low-cost internet of things devices that may come from companies you've never heard of and that may get software updates rarely, if ever. But there are millions of them, making them a widespread problem. The massive Mirai botnet attack of 2015, which took over countless devices like security cameras, digital video recorders and network routers, showed the magnitude of the problem.

A decade ago under the leadership of former Chief Executive Steve Ballmer, it would have been unthinkable that Microsoft might distribute its own version of Linux, an offshoot of the Unix operating system family that's built with the open-source principles Microsoft executives once called "un-American" and a "cancer." But things have changed under the reign of today's CEO, Satya Nadella. Linux is popular among many developers, and Microsoft now offers a version called the Windows Subsystem for Linux, or WSL 2.

Microsoft released its first version of Azure Sphere in February.