Patch/Configuration Management, Vulnerability Management

Microsoft launches $250,000 bug bounty for Spectre/Meltdown-like flaws

Microsoft has kicked off a bug bounty program that could bring in between $25,000 and $250,000 to anyone able to find vulnerabilities similar to the now infamous Spectre and Meltdown.

The program will run through December 2018 and Microsoft hopes it will spur interest in the discovery of speculative execution side channel vulnerabilities.

“This bounty program is intended as a way to foster that research and the coordinated disclosure of vulnerabilities related to these issues,” Microsoft said in a Technet blog.

The program contains four bounty tiers with Tier 1 being the discovery of any new categories of speculative execution attacks paying up to $250,000. Tier 2 would pay up to $200,000 for any Azure speculative execution mitigation bypass; Tier 3 for unearthing Windows speculative execution mitigation bypass a bounty up to $200,000 will be paid and Tier 4 will pay up to $25,000 for those locating an instance of a known speculative execution vulnerability (such as CVE-2017-5753) in Windows 10 or Microsoft Edge. This vulnerability must enable the disclosure of sensitive information across a trust boundary.

The Spectre and Meltdown vulnerabilities CVE-2017-5753 (Spectre), CVE-2017-5754 (Meltdown), and CVE-2017-5715 (Spectre) became public knowledge in January. If left unpatched these kernel-level flaws found in Intel, and to a lesser extent in AMD and ARM processors, could allow for remote code execution and access of kernel-level memory.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.