Microsoft Offers New Bug Bounties for Spectre, Meltdown-Type FlawsMicrosoft Offers New Bug Bounties for Spectre, Meltdown-Type Flaws
Microsoft is offering a short-term bug bounty program for speculative execution side-channel vulnerabilities and threats.
March 19, 2018
Microsoft last week announced new bug bounties for speculative execution side-channel vulnerabilities. These vulnerabilities, of which Spectre and Meltdown were the first known examples, represent a new class of problem and Microsoft would like to know what else might be lurking in the neighborhood.
The bug bounties - on offer through December 31, 2018 - are:
Tier 1: New categories of speculative execution attacks
Up to $250,000
Tier 2: Azure speculative execution mitigation bypass
Up to $200,000
Tier 3: Windows speculative execution mitigation bypass
Up to $200,000
Tier 4: Instance of a known speculative execution vulnerability (such as CVE-2017-5753) in Windows 10 or Microsoft Edge. This vulnerability must enable the disclosure of sensitive information across a trust boundary
Up to $25,000
According to Microsoft, Tier 1 vulnerabilities are new attacks, Tiers 2 and 3 are techniques that get around protections already put in place against existing vulnerabilities, and Tier 4 is a demonstrating an actual successful attack method using already known vulnerabilities.
Phillip Misner, principal security group manager at the Microsoft Security Response Center, said in Microsoft's post announcing the program: "Speculative execution side channel vulnerabilities require an industry response." To that end, Microsoft says that they will share any discovered vulnerabilities and attacks with the industry in ethical, industry standard forms.
Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023