Microsoft reveals Spectre/Meltdown bug bounty program
A Speculative Execution Bug Bounty Program with bounties of up to $250,000
Published: 16th March 2018 | Source: Microsoft |
Microsoft reveals Spectre/Meltdown Speculative Execution bug bounty program
Most of you will know of the Speculative Execution attack vectors known as Spectre and Meltdown, which together affect processors from Intel, ARM and AMD, though some to a greater extent than others. The key here is that while these are hardware quirks, the exploits will be exploited in software, making this a huge concern for companies like Microsoft.
Microsoft has already released some software mitigations for these vulnerabilities and has committed to releasing Intel's microcode mitigations in through their Windows Update platform, taking the problems posed by these exploits seriously. Now the company has revealed a new Speculative Execution bug bounty program, incentivising the research into these types of vulnerabilities by offering rewards.
Today, Microsoft is announcing the launch of a limited-time bounty program for speculative execution side channel vulnerabilities. This new class of vulnerabilities was disclosed in January 2018 and represented a major advancement in the research in this field.
In recognition of that threat environment change, we are launching a bounty program to encourage research into the new class of vulnerability and the mitigations Microsoft has put in place to help mitigate this class of issues.
This program will offer bounties for instances of Speculative Execution Vulnerabilities in Windows 10 or Microsoft Edge, bypasses for their existing mitigations in Windows and their Azure cloud computing platform and new categories of speculative execution attacks, which go beyond today's Spectre and Meltdown varieties.
This program will be open until December 31st, 2018, hoping to address the issues raised by these exploits before the end of the year.
What Microsoft is doing here is employing the knowledge of the PC security community to coordinate their efforts to find new vulnerabilities and informing Microsoft about any discoveries, allowing the company to address potential issues without having to dedicate the same resources to the problem themselves.
You can join the discussion on Microsoft's Speculative Execution Bug Bounty program on the OC3D Forums.