Talk

Mastering the Azure Bounty Program: A Bug Hunter’s Quest for High-Impact Vulnerabilities

March 14, 13:30 (CLOUD)

Aspiring bug hunters often set their sights on targets that are both lucrative and accessible. Among the tech giants, Google, Microsoft, and Apple offer some of the most enticing reward programs for security researchers. While Apple is known for its high bars, Google for its open doors, and Microsoft for its diverse range of products and reward schemes, it is the latter that offers a unique landscape for bug bounty hunters.

This presentation will delve into my personal journey targeting the Microsoft Azure rewards program, detailing the strategies I employed to identify optimal targets, develop novel exploitation techniques, and discover a plethora of RCE vulnerabilities. Join me as I recount how these efforts led to a top-three position on the MSRC Leaderboard for three consecutive quarters and a third-place finish in the annual 2024 rankings. For those eager to explore opportunities within Azure’s bounty program, this session is not to be missed.

Speaker

VictorV

VictorV is the Senior Cybersecurity Engineer. His X account is @vv474172261. He is a binary security researcher. He used to work at Vulcan Team of 360 Security. He was awarded Master of Pwn at Pwn2Own in 2017, “The Most Outstanding Technical Achievement Award” at TianfuCup in 2018, “The Best Innovation Breakthrough Award” at TianfuCup in 2023, VMware Escape at TianfuCup in 2018, 2021 and 2023, Hyper-V Escape in 2021, Top2 of MSRC leaderboard for Q3/Q4/2024 Q1/Annual/Q3, and he was a speaker at BlackHatAsia 2024/Zer0Con2022/HITB/VxCon.

Organized by

Technology partners

Partner events

Scroll to Top