Microsoft is offering a short-term bug bounty program for speculative execution side-channel vulnerabilities and threats.

Dark Reading Staff, Dark Reading

March 19, 2018

2 Min Read

Microsoft last week announced new bug bounties for speculative execution side-channel vulnerabilities. These vulnerabilities, of which Spectre and Meltdown were the first known examples, represent a new class of problem and Microsoft would like to know what else might be lurking in the neighborhood.

The bug bounties - on offer through December 31, 2018 - are:

Tier 1: New categories of speculative execution attacks

Up to $250,000

Tier 2: Azure speculative execution mitigation bypass

Up to $200,000

Tier 3: Windows speculative execution mitigation bypass

Up to $200,000

 

Tier 4: Instance of a known speculative execution vulnerability (such as CVE-2017-5753) in Windows 10 or Microsoft Edge. This vulnerability must enable the disclosure of sensitive information across a trust boundary

Up to $25,000

According to Microsoft, Tier 1 vulnerabilities are new attacks, Tiers 2 and 3 are techniques that get around protections already put in place against existing vulnerabilities, and Tier 4 is a demonstrating an actual successful attack method using already known vulnerabilities.

Phillip Misner, principal security group manager at the Microsoft Security Response Center, said in Microsoft's post announcing the program: "Speculative execution side channel vulnerabilities require an industry response." To that end, Microsoft says that they will share any discovered vulnerabilities and attacks with the industry in ethical, industry standard forms.

For more, read here and here.

 

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

About the Author(s)

Dark Reading Staff

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

See more from Dark Reading Staff
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars
Events
More Events

Editor's Choice

VPN other edge devices cybersecurity
Endpoint Security
Teetering on the Edge: VPNs, Firewalls' Nonexistent Telemetry Lures APTsOn the Edge: VPNs, Firewalls' Nonexistent Telemetry Lures APTs
byRobert Lemos, Contributing Writer
Apr 23, 2024
4 Min Read
Kuala Lumpur, Malaysia, skyline against the harbor at sunrise
Cyber Risk
Licensed to Bill? Nations Mandate Certification & Licensure of Cybersecurity ProsLicensed to Bill? Nations Mandate Certification of Cybersecurity Pros
byRobert Lemos, Contributing Writer
Apr 23, 2024
4 Min Read
MITRE Corp's logo in blue
Endpoint Security
MITRE ATT&CKED: InfoSec's Most Trusted Name Falls to Ivanti BugsMITRE ATT&CKED: InfoSec's Most Trusted Name Falls to Ivanti Bugs
byNate Nelson, Contributing Writer
Apr 22, 2024
3 Min Read
Reports
More Reports
White Papers
More Whitepapers
Events
More Events