Microsoft is offering a short-term bug bounty program for speculative execution side-channel vulnerabilities and threats.
Microsoft last week announced new bug bounties for speculative execution side-channel vulnerabilities. These vulnerabilities, of which Spectre and Meltdown were the first known examples, represent a new class of problem and Microsoft would like to know what else might be lurking in the neighborhood.
The bug bounties - on offer through December 31, 2018 - are:
Tier 1: New categories of speculative execution attacks | Up to $250,000 |
Tier 2: Azure speculative execution mitigation bypass | Up to $200,000 |
Tier 3: Windows speculative execution mitigation bypass | Up to $200,000 |
Tier 4: Instance of a known speculative execution vulnerability (such as CVE-2017-5753) in Windows 10 or Microsoft Edge. This vulnerability must enable the disclosure of sensitive information across a trust boundary | Up to $25,000 |
According to Microsoft, Tier 1 vulnerabilities are new attacks, Tiers 2 and 3 are techniques that get around protections already put in place against existing vulnerabilities, and Tier 4 is a demonstrating an actual successful attack method using already known vulnerabilities.
Phillip Misner, principal security group manager at the Microsoft Security Response Center, said in Microsoft's post announcing the program: "Speculative execution side channel vulnerabilities require an industry response." To that end, Microsoft says that they will share any discovered vulnerabilities and attacks with the industry in ethical, industry standard forms.
Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.
About the Author(s)
You May Also Like
Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024