Microsoft launches bounty program for speculative execution side channel vulnerabilities
Microsoft has launched a bug bounty program that will reward anyone who finds the next Meltdown or Spectre vulnerability. Known as speculative execution side channel vulnerabilities, Microsoft is willing to reward anyone who reports bugs that could cause problems like earlier in the year.
The rewards on offer range from $5,000 up to $250,000 depending on the severity of the vulnerability, and the bounty program runs until the end of 2018. Microsoft says that it will operate under the principles of coordinated vulnerability disclosure.
See also:
- Microsoft removes AV compatibility requirements for Windows 10 security updates
- Intel failed to warn US government about Meltdown and Spectre flaws before going public
- Intel has a new Spectre firmware patch for you to try out
- Microsoft gives sysadmins Meltdown and Spectre detection in Windows Analytics
In a post on the Microsoft Security Response Center, the company says: "Microsoft is announcing the launch of a limited-time bounty program for speculative execution side channel vulnerabilities. This new class of vulnerabilities was disclosed in January 2018 and represented a major advancement in the research in this field. In recognition of that threat environment change, we are launching a bounty program to encourage research into the new class of vulnerability and the mitigations Microsoft has put in place to help mitigate this class of issues."
In order to qualify for a payout, vulnerability submissions must meet varying criteria:
- A novel category or exploit method for a Speculative Execution Side Channel vulnerability.
- A novel method of bypassing a mitigation imposed by a hypervisor, host or guest using a Speculative Execution Side Channel attack. For example, this could include a technique that can read sensitive memory from another guest.
- A novel method of bypassing a mitigation imposed by Windows using a Speculative Execution Side Channel attack. For example, this could include a technique that can read sensitive memory from the kernel or another process.
- A novel method of bypassing a mitigation imposed by the Microsoft Edge using a Speculative Execution Side Channel attack. For example, this could include a technique that can read sensitive memory from the Microsoft Edge content.
Microsoft shares details of the reward payments it is willing to make:
| Tier | Description | Possible Payout |
| Tier 1: New categories of speculative execution attacks | Qualifying submissions must identify a novel category of speculative execution attacks that Microsoft and other industry partners are not aware of. An example of a qualifying submission would be a new method of leveraging speculative execution side channels to disclose information across a trust boundary. | $100,000 - $250,000 USD |
| Tier 2: Azure speculative execution mitigation bypass | Qualifying submissions must demonstrate a speculative execution side channel attack that can be used to read sensitive memory that is not allocated to an attacker’s virtual machine on Azure. | $100,000 - $200,000 USD |
| Tier 3: Windows speculative execution mitigation bypass | Qualifying submissions must demonstrate a novel method of bypassing speculative execution mitigations on Windows. Specifically, this would involve bypassing the Windows mitigations for CVE-2017-5715 (branch target injection) and CVE-2017-5754 (rogue data cache load). These bypasses must demonstrate that it is possible to disclose sensitive information when these mitigations are present and enabled. | $100,000 - $200,000 USD |
| Tier 4: Exploitable speculative execution vulnerabilities | Qualifying submissions will identify an instance of a known speculative execution hardware vulnerability (such as CVE-2017- 5753) in Windows 10 or Microsoft Edge. This vulnerability must enable the disclosure of sensitive information across a trust boundary. | $5,000 - $25,000 USD |
Full details of the bounty program can be found in the Microsoft Security TechCenter.
Image credit: r.classen / Shutterstock