Microsoft is offering hundreds of thousands of dollars for the discovery of ‘speculative execution’ vulnerabilities.
Technology behemoth Microsoft is aiming to nip the next Meltdown or Spectre vulnerability in the bud with a lucrative new bug bounty program.
The company announced that it will pay up to $250,000 for the discovery of new speculative execution vulnerabilities, such as those that affected so many processors late last year.
A new kind of vulnerability
Philip Misner, a security group manager at Microsoft’s Security Response Center, described speculative execution bugs as “a new class of vulnerabilities” and said that research exploring new attack vectors is likely already underway. The program is set to run until the end of 2018.
“This bounty program is intended as a way to foster that research and the coordinated disclosure of vulnerabilities related to these issues,” Misner noted.
He warned that speculative execution side-channel vulnerabilities “require an industry response” and said that Microsoft would share the research disclosed to it in the program under the coordinated vulnerability disclosure principles.
A tiered reward system
The rewards are being distributed across four tiers.
- Tier 1: New categories of speculative execution attacks – up to $250,000
- Tier 2: Azure speculative execution mitigation bypass – up to $200,000
- Tier 3: Windows speculative execution mitigation bypass – up to $200,000
- Tier 4: Instance of a known speculative execution vulnerability (such as CVE-2017-5753) in Windows 10 or Microsoft Edge. This vulnerability must enable the disclosure of sensitive information across a trust boundary – up to $25,000
Intel working on fixes
The new initiative from Microsoft comes as Intel processors receive new updates and hardware protections against CPU flaws. While Meltdown is being taken care of with software updates, processor redesigns are required to to protect against Spectre variants. Existing Intel processor owners will still have to rely on firmware updates, which may have an impact on machine performance.
Intel CEO Brian Krzanich said: “As we bring these new products to market, ensuring that they deliver the performance improvements people expect from us is critical.
“Our goal is to offer not only the best performance, but also the best secure performance.”