Microsoft temporarily launches bug bounty program for vulnerabilities like Meltdown and Spectre
Microsoft has announced that it is establishing a temporary bug bounty program to offer rewards of up to a quarter of a million dollars for discovering vulnerabilities such as Meltdown and Specter. Earlier, Intel took a similar step.
Microsoft writes that the program will run until the end of the year and focuses on vulnerabilities related to speculative execution, a processor technique underlying the Meltdown and Specter leaks published in January. The top $250,000 reward will be for “new categories of speculative execution attacks,” offering Microsoft as much money as Intel, which also launched a program that will last until the end of this year.
In addition, Microsoft is offering a lower $200,000 for techniques that circumvent existing countermeasures for Specter and Meltdown. For example, the Redmond-based company asks for exploits that undo mitigations in Azure and for exploits that do the same on Windows. With this, the company wants to encourage discoverers of these types of attacks to share the techniques, so that it can subsequently improve its countermeasures.
In a final category, Microsoft is offering a $25,000 reward for an exploit that can leak information into Edge or Windows 10, based on the first and second variants of Specter. The company writes that speculative execution attacks require an “industry-wide response.” Therefore, it wants to share information it obtains under this new program with other companies. In a separate blog post, the company discusses how it has handled Meltdown and Spectre.