Microsoft bug bounty program: $250k for reporting Meltdown & Spectre type flaws

The bug bounty program will remain open until December 31st, 2018.

Recently, the identification of serious CPU flaws called Spectre and Meltdown shook the tech community. Although the gravity of damage has been controlled considerably still there is room for mitigation.

Perhaps that’s the reason why Microsoft has decided to roll out a new bug bounty program which will focus on discovering speculative execution side channel flaws.

For your information, Speculative Execution Side Channels refer to hardware vulnerability class that can lay a significant impact on CPU from not anyone but multiple manufacturers.

This bug bounty program is a short-term one that will remain open until December 31. Microsoft is offering a staggering $250,000 as reward sum for discovering new categories of attacks specifically speculative execution attacks that are currently undisclosed.

“In recognition of that threat environment change, we are launching a bounty program to encourage research into the new class of vulnerability and the mitigations Microsoft has put in place to help mitigate this class of issues,” stated Microsoft principal security group manager, Phillip Misner.

These vulnerabilities came into the limelight earlier in January 2018 and it was also identified that three variants of Spectre and Meltdown are present. These can potentially allow hackers to hijack users’ data.

Moreover, processors from a variety of manufacturers including the bigwigs Intel, AMD, and ARM could be impacted by these security flaws. Microsoft has already prepared software and firmware updates to deal with the issue and secure its devices that have these processors installed.

Microsoft believes that Meltdown and Spectre are just two of the many security bugs and therefore, simply mitigating these two flaws won’t solve the issue completely and we need to find other bugs.

“This bounty program is intended as a way to foster that research and the coordinated disclosure of vulnerabilities related to these issues,” revealed Misner in a post.

Microsoft is also planning to take its competitors and tech community in confidence and disclose the findings of the bug bounty program to the affected parties. That’s because the reason for initiating the program is not to gain an edge over its competitors but to allow safe and secure Windows experience to users. As Misner noted:

“Speculative execution side channel vulnerabilities require an industry response. To that end, Microsoft will share, under the principles of coordinated vulnerability disclosure, the research disclosed to us under this program so that affected parties can collaborate on solutions to these vulnerabilities. Together with security researchers, we can build a more secure environment for customers.”

Bug bounty program will be having four tiers. Microsoft is offering $200,000 for tier 2 discoveries, which involve speculative execution mitigation bypasses for Azure while tier 3 involves the same vulnerabilities but for Windows. Tier 4 will deal with the identification of new exploits for already known vulnerabilities and the award money would be $25,000. Tier 1 deals with serious Hyper-V flaws in Windows 10 and the successful hacker will be receiving $250,000 in reward.

It is worth noting that Microsoft’s bug bounty program has been launched at a time when Intel is gearing up to make important CPU changes by redesigning its processors and ensure protection against serious attacks like Spectre.

Furthermore, Intel will be introducing next-gen Xeon processors (Cascade Lake) that will be loaded with advanced hardware protection features along with 8th generation Intel Core processors. Firmware updates are expected to provide protection to existing CPUs.

Remember, last month researchers identified 139 malware samples exploiting Meltdown & Spectre flaws which means cyber criminals are already gearing up to target unsuspecting users. Therefore, the bug bounty and firmware updates can play a major role in protecting users from large-scale attacks.

Related Posts