CATEGORIES
home News

Microsoft Offers $250,000 Bug Bounty To Prevent Another Spectre-Meltdown Fiasco

by Rob WilliamsSaturday, March 17, 2018, 03:15 PM EDT

With critical vulnerabilities like Meltdown and Spectre having been disclosed to the public, it's clearer than ever that more eyeballs are needed when it comes to making sure that our software and hardware is secure. Not long after Intel suffered the bulk of fallout from Meltdown and Spectre, the company bolstered its bug bounty program to encourage more people to dive in and discover bugs before they can be exploited.

Intel made great strides to improve the program overall by cutting out the invite-only requirement, allowing anyone to find, explore and report potential bugs. Clearly, Microsoft liked that idea, as it has also enhanced its bug bounty program to offer the the same top quarter million dollar reward that Intel is coughing up.

Microsoft Building

There is a caveat, however; this particular set of bug bounty rules is exclusive to vulnerabilities that surround speculative execution bugs, which are at the heart of Meltdown and Spectre. Microsoft lays out explicit details about what kind of bug would qualify:

  • A novel category or exploit method for a Speculative Execution Side Channel vulnerability.
  • A novel method of bypassing a mitigation imposed by a hypervisor, host or guest using a Speculative Execution Side Channel attack. For example, this could include a technique that can read sensitive memory from another guest.
  • A novel method of bypassing a mitigation imposed by Windows using a Speculative Execution Side Channel attack. For example, this could include a technique that can read sensitive memory from the kernel or another process.
  • A novel method of bypassing a mitigation imposed by the Microsoft Edge using a Speculative Execution Side Channel attack. For example, this could include a technique that can read sensitive memory from the Microsoft Edge content.

In order to qualify for the big "prize" of $250,000, the submission must involve a bug that is in a novel category of speculative execution attack that neither Microsoft nor industry partners are aware of. Ideally, this is the payout Microsoft would pay most often, because those bugs would clearly be the most severe. Other levels include reading sensitive memory involving virtual machines and verification of certain bugs actually being exploitable with select Microsoft products, such as Windows 10 or the Edge web browser.

Overall,  this is a great move from Microsoft and i's somewhat reassuring as normal end-users to see this kind of commitment being made. 

Tags:  Microsoft, security, vulnerability, bug bounty, (nasdaq: msft)
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment