New bug bounty program for speculative execution

Mar 15, 2018 11:00 GMT  ·  By

Microsoft has already patched Meltdown and Spectre hardware vulnerabilities, and while the company says that more mitigations would launch in the coming months, it’s also trying to make sure that no exploits would target its users.

As a result, the software giant is launching a speculative execution bounty program with huge payments for whoever finds new bugs and discloses them to Microsoft.

For example, the Tier 1 section includes new categories of speculative execution attacks, and can bring a financial reward of no less than $250,000, while those qualifying for Tier 2 and Tier 3, which refer to Azure speculative execution mitigation bypass and Windows speculative execution mitigation bypass, respectively, can earn up to $200,000.

And last but not least, researchers who disclose an instance of a known speculative executive vulnerability in Windows 10 or Microsoft Edge with the disclosure of sensitive information across a trust boundary are eligible for a $25,000 bounty.

“Speculative execution side channel vulnerabilities require an industry response.  To that end, Microsoft will share, under the principles of coordinated vulnerability disclosure, the research disclosed to us under this program so that affected parties can collaborate on solutions to these vulnerabilities.  Together with security researchers, we can build a more secure environment for customers,” Microsoft says.

Running through December 31

The new bug bounty program kicked off on March 14 and will be running through December 31, and Microsoft says that if any exploits are discovered, all details will be shared with other companies to deliver protections for all customers.

This good guy approach shows that such hardware vulnerabilities are treated with maximum priority by Microsoft and its partners, though the software giant is one of the first companies launching a bug bounty program for speculative executive exploits.

You can find the full details of the new bug bounty program here, and make sure you read the full terms of service to find out what you need to qualify for a financial reward.