Microsoft Offers $15,000 Nano Server Bug Bounty

Written by

Microsoft has expanded its bug bounty program to include Nano Server, its soon-to-be launched cloud and container-focused module for the Windows Server 2016 platform.

The Nano Server technical preview bounty program for Windows Server Technical Preview 5 (try saying that three times fast) will run through July 29. Nano Server is expected to launch Q3 2016.

Nano Server, as its name suggests, is a minimal footprint installation of Windows Server that is highly optimized for the cloud, and for containers, according to Microsoft, which said, “It is designed for fewer patch and update events, faster restarts, better resource utilization and tighter security.” It’s essentially a remotely administered, headless installation option of the server operating system, focused on two scenarios: As the host for compute and/or storage clusters; and as a lightweight OS in a virtual machine or container for “born in the cloud” applications.

Payouts for bug bounty hunters start at $15,000 for flaws tied to remote code execution in Nano Server. Microsoft will pay $9,000 for bugs relating to remote unauthenticated denial of service attacks, successful elevation of privileges and vulnerabilities tied to specific Nano Server DLLs. Payouts of $500 will go to bug bounty hunters that find vulnerabilities ranging from flawed DLLs to ones tied to surreptitious information disclosures.

Hyper-V escapes and mitigation bypass vulnerabilities will be evaluated against the Mitigation Bypass Bounty instead.

Microsoft continues to expand its programs. Last year, it announced a raft of improvements designed to encourage more researchers to find flaws in its software. Key among these were a doubling of the Bounty for Defense—from $50,000 to $100,000—which Microsoft security architect, Jason Shirk, argued will “bring defense up on a par with offense” and “rewards the novel defender equally for their research.”

Photo © drserg/

What’s hot on Infosecurity Magazine?