Microsoft bug bounty program is offering $250k for Meltdown and Spectre vulnerabilities

Share this…

The detection of serious CPU vulnerabilities called Spectre and Meltdown shook the tech community in first’s months of 2018. Although the gravity of damage has been controlled considerably still there is room for mitigation.

Perhaps that’s the reason why Microsoft has decided to roll out new bug bounty program which will focus on discovering speculative execution side channel flaws. Speculative Execution Side Channels refer to hardware vulnerability class that can lay a significant impact on CPU from not anyone but multiple manufacturers, information security training experts explain.

bug-bounty microsoft

 

This bug bounty program will remain open until December 31. Microsoft is offering an astonishing $250,000 as reward sum for discovering new categories of attacks specifically speculative execution attacks that are currently undisclosed.

“In recognition of that threat environment change, we are launching a bounty program to encourage research into the new class of vulnerability and the mitigations Microsoft has put in place to help mitigate this class of issues,” stated Microsoft principal information security group manager, Phillip Misner.

These vulnerabilities came into the light in January 2018 and it was also identified that three variants of Spectre and Meltdown are present. These can potentially allow hackers to hijack users’ data.

The processors from a variety of manufacturers including; Intel, AMD, and ARM could be impacted by these security vulnerabilities, information security training researchers said. Microsoft has already prepared software and firmware updates to deal with the issue and secure its devices that have these processors installed.

Microsoft believes that Meltdown and Spectre are just two of the many security bugs and therefore, simply mitigating these two flaws won’t solve the issue completely and we need to find other bugs.

“This bounty program is intended as a way to foster that research and the coordinated disclosure of vulnerabilities related to these issues,” revealed Misner in a post.

The reason for initiating the program is not to gain an edge over its competitors but to allow safe and secure Windows experience to users. That’s why Microsoft is planning to take its competitors and tech community in confidence and disclose the findings of the bug bounty program to the affected parties.

Misner noted “Speculative execution side channel vulnerabilities require an industry response. To that end, Microsoft will share, under the principles of coordinated vulnerability disclosure, the research disclosed to us under this program so that affected parties can collaborate on solutions to these vulnerabilities. Together with information security researchers, we can build a more secure environment for customers.”

Information security training analysts of Microsoft explain that the bug bounty program will be having four levels. Microsoft is offering $200,000 for tier 2 discoveries, which involve speculative execution mitigation bypasses for Azure while tier 3 involves same vulnerabilities but for Windows. Tier 4 will deal with identification of new exploits for already known vulnerabilities and the award money would be $25,000. Tier 1 deals with serious Hyper-V vulnerabilities in Windows 10 and the successful hacker will be receiving $250,000 in reward.

microsoft bug bounty jpg

This Microsoft bug bounty program has been launched at a time when Intel is gearing up to make important CPU changes by redesigning its processors and ensure protection against serious attacks like Spectre.

Moreover, Intel will be introducing next-gen Xeon processors (Cascade Lake) that will be loaded with advanced hardware protection features along with 8th generation Intel Core processors. Firmware updates are expected to provide protection to existing CPUs.

Only last month, information security training experts identified 139 malware samples exploiting Meltdown & Spectre flaws which means cyber criminals are already gearing up to target unsuspecting users. Consequently, the bug bounty and firmware updates can play a major role in protecting users from large-scale attacks.