Aspiring bug hunters often set their sights on targets that are both lucrative and accessible. Among the tech giants, Google, Microsoft, and Apple offer some of the most enticing reward programs for security researchers. While Apple is known for its high bars, Google for its open doors, and Microsoft for its diverse range of products and reward schemes, it is the latter that offers a unique landscape for bug bounty hunters.
This presentation will delve into my personal journey targeting the Microsoft Azure rewards program, detailing the strategies I employed to identify optimal targets, develop novel exploitation techniques, and discover a plethora of RCE vulnerabilities. Join me as I recount how these efforts led to a top-three position on the MSRC Leaderboard for three consecutive quarters and a third-place finish in the annual 2024 rankings. For those eager to explore opportunities within Azure’s bounty program, this session is not to be missed.