New Microsoft bug bounty scheme offers up to $250,000 for serious flaws

16 Mar 2018

Microsoft storefront in Sydney, Australia. Image: ArliftAtoz2205/Shutterstock 

Microsoft is offering hundreds of thousands of dollars for the discovery of ‘speculative execution’ vulnerabilities.

Technology behemoth Microsoft is aiming to nip the next Meltdown or Spectre vulnerability in the bud with a lucrative new bug bounty program.

The company announced that it will pay up to $250,000 for the discovery of new speculative execution vulnerabilities, such as those that affected so many processors late last year. 

A new kind of vulnerability

Philip Misner, a security group manager at Microsoft’s Security Response Center, described speculative execution bugs as “a new class of vulnerabilities” and said that research exploring new attack vectors is likely already underway. The program is set to run until the end of 2018.

“This bounty program is intended as a way to foster that research and the coordinated disclosure of vulnerabilities related to these issues,” Misner noted.

He warned that speculative execution side-channel vulnerabilities “require an industry response” and said that Microsoft would share the research disclosed to it in the program under the coordinated vulnerability disclosure principles.

A tiered reward system

The rewards are being distributed across four tiers.

  • Tier 1: New categories of speculative execution attacks – up to $250,000
  • Tier 2: Azure speculative execution mitigation bypass – up to $200,000
  • Tier 3: Windows speculative execution mitigation bypass – up to $200,000
  • Tier 4: Instance of a known speculative execution vulnerability (such as CVE-2017-5753) in Windows 10 or Microsoft Edge. This vulnerability must enable the disclosure of sensitive information across a trust boundary – up to $25,000

Intel working on fixes

The new initiative from Microsoft comes as Intel processors receive new updates and hardware protections against CPU flaws. While Meltdown is being taken care of with software updates, processor redesigns are required to to protect against Spectre variants. Existing Intel processor owners will still have to rely on firmware updates, which may have an impact on machine performance.

Intel CEO Brian Krzanich said: “As we bring these new products to market, ensuring that they deliver the performance improvements people expect from us is critical.

“Our goal is to offer not only the best performance, but also the best secure performance.”

Microsoft storefront in Sydney, Australia. Image: ArliftAtoz2205/Shutterstock 

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com