Microsoft Azure Bounty Program — Scope Notes & Source-Audit Methodology

Last updated: 2026-07-02
Related: Vulnerability Research (domain), Integer Overflows, Use After Free, Researchers
Tags: resource, bug-bounty

Summary

Field notes from VictorV’s run at the Microsoft Azure bug-bounty program, focused on the Azure RTOS stack (NetX / NetX Duo, ThreadX). The value here is twofold: (1) how program scope shifts under you, and (2) a reusable source-code memory-safety audit methodology that repeatedly paid off across C networking libraries.


Program Scope — Read the Fine Print

  • The program covers products listed on the Azure Products page, but binary components (e.g. Azure Site Recovery, Azure Defender for IoT) sit in a gray area — confirm in writing before investing. The author emailed bounty@microsoft.com and got confirmation that Azure RTOS NetX and NetX Duo were in-scope before submitting.
  • Scope contracts over time. Microsoft added open-source components to the out-of-scope list on 2023-12-20 and re-emphasised it on 2024-08-05, substantially reducing what gets paid. Re-check scope each engagement; a target that paid last quarter may be excluded now.

Findings (Azure RTOS)

FindingComponentBug class
ICMP off-by-oneNetX checksum on fragmented IP with odd length1-byte OOB write past packet buffer → corruption → RCE
12× SNMP bugsAzure RTOS SNMP addonimproper length validation in variable parsing → buffer overflow / RCE
FTP double-freeFTP QUIT commandpointer not nulled after packet release → double-free (multi-threaded race)
7× UDP UAFnxd_udp_socket_send() ownership confusioncallee may release the packet; callers double-free in error paths
AMQP integer overflowbinary decode (uamqp)32-bit length overflow → zero-length alloc → heap corruption

The AMQP bug was “one fish, three catches”: the same incomplete patch existed across azure-uamqp-c, Azure-sdk-for-cpp, and azure-uamqp-python.


Reusable Methodology

The recurring, systematic patterns that surfaced these bugs:

  1. Release-point auditing — grep the tree for (delete|destroy|free|release) (excluding tests) and inspect every release site.
  2. Pointer-nullification verification — confirm each released pointer is zeroed; a non-nulled pointer is a double-free/UAF candidate (the FTP/UDP bugs).
  3. Multi-release detection — hunt duplicate release paths in error-handling branches.
  4. Length-math divergence — look for size increments that don’t match the matching decrements (the SNMP and AMQP bugs); these become integer overflows and OOB.
  5. Cross-project patch-sync — when a bug is fixed in one project, check every project that vendored/derived the same code; patches often don’t propagate (the AMQP triple).

Strategic lessons: exhaust high-value targets rather than skimming many; build systematic techniques instead of ad-hoc reading; and test the marginal/gray-area targets — a borderline submission costs nothing to try.


References