Microsoft Offers $250,000 Bug Bounty To Prevent Another Spectre-Meltdown Fiasco

With critical vulnerabilities like Meltdown and Spectre having been disclosed to the public, it's clearer than ever that more eyeballs are needed when it comes to making sure that our software and hardware is secure. Not long after Intel suffered the bulk of fallout from Meltdown and Spectre, the company bolstered its bug bounty program to encourage more people to dive in and discover bugs before they can be exploited.

Intel made great strides to improve the program overall by cutting out the invite-only requirement, allowing anyone to find, explore and report potential bugs. Clearly, Microsoft liked that idea, as it has also enhanced its bug bounty program to offer the the same top quarter million dollar reward that Intel is coughing up.

Microsoft Building

There is a caveat, however; this particular set of bug bounty rules is exclusive to vulnerabilities that surround speculative execution bugs, which are at the heart of Meltdown and Spectre. Microsoft lays out explicit details about what kind of bug would qualify:

  • A novel category or exploit method for a Speculative Execution Side Channel vulnerability.
  • A novel method of bypassing a mitigation imposed by a hypervisor, host or guest using a Speculative Execution Side Channel attack. For example, this could include a technique that can read sensitive memory from another guest.
  • A novel method of bypassing a mitigation imposed by Windows using a Speculative Execution Side Channel attack. For example, this could include a technique that can read sensitive memory from the kernel or another process.
  • A novel method of bypassing a mitigation imposed by the Microsoft Edge using a Speculative Execution Side Channel attack. For example, this could include a technique that can read sensitive memory from the Microsoft Edge content.

In order to qualify for the big "prize" of $250,000, the submission must involve a bug that is in a novel category of speculative execution attack that neither Microsoft nor industry partners are aware of. Ideally, this is the payout Microsoft would pay most often, because those bugs would clearly be the most severe. Other levels include reading sensitive memory involving virtual machines and verification of certain bugs actually being exploitable with select Microsoft products, such as Windows 10 or the Edge web browser.

Overall,  this is a great move from Microsoft and i's somewhat reassuring as normal end-users to see this kind of commitment being made. 


Show comments blog comments powered by Disqus