Cyber Security JISC Reuse

It’s been a few months since serious CPU flaws known as Meltdown and Spectre rocked the tech world. By now, they’re strongly mitigated, even if some believe hardware is the only true fix.

However, Microsoft is worried that’s not the end of it. Meltdown and Spectre were just two discovered bugs, and there could be more hiding out there. As such, the company is offering $250,000 to anybody who can discover a similar flaw.

The bugs are known as speculative execution side-channel vulnerabilities. In essence, the discovery of Meltdown and Spectre unearthed a whole new category that’s yet to be fully explored.

“Speculative execution is truly a new class of vulnerabilities, and we expect that research is already underway exploring new attack methods,” explained Phillip Misner, principal security group manager at Microsoft. “This bounty program is intended as a way to foster that research and the coordinated disclosure of vulnerabilities related to these issues.”

Industry Collaboration

Despite this, the company isn’t doing it for a leg up over their competitors. Naturally, the fix of any vulnerability makes for a better Windows experience, and Microsoft will be disclosing research to affected parties.

“Speculative execution side channel vulnerabilities require an industry response. To that end, Microsoft will share, under the principles of coordinated vulnerability disclosure, the research disclosed to us under this program so that affected parties can collaborate on solutions to these vulnerabilities. Together with security researchers, we can build a more secure environment for customers.” said Misner.

The bug bounty is split into four tiers. For tier 2, Microsoft is offering $200,000 for speculative execution mitigation bypasses for Azure, and tier 3 is the same but for Windows. Tier 4 has a reward of $25,000 for the of new exploits for known vulnerabilities.

Security researchers can read the full bounty details on TechNet.