Microsoft wants bug hunters to go after Spectre and Meltdown-style flaws
MICROSOFT WANTS BUG HUNTERS to find Spectre and Meltdown-style flaws so it can fix them before they get out of hand.
The Redmond-based company has opened up a specific bug bounty program for the task, which will run until 31 December 2018 and will offer bug hunters up to $250,000 for finding new speculative execution flaws and attack vectors.
“Speculative execution is truly a new class of vulnerabilities, and we expect that research is already underway exploring new attack methods,” said Phillip Misner principal security group manager at the Microsoft Security Response Center.
“This bounty program is intended as a way to foster that research and the coordinated disclosure of vulnerabilities related to these issues.”
Four tiers of bounties are on offer, with Tier 4 offering up to £25,000 for new versions of known speculative execution vulnerabilities and Tier 1 offering the full quarter-of-a-million for the uncovering of new categories of speculative execution attacks.
These are some pretty healthy payouts if security is your bag, so Windows-centric bug spotters should get cracking.
“We expect that research is already underway exploring new attack methods,” noted Misner.
Microsoft will also share any findings the new bug bounty throws up to help the industry get ahead of Spectre and Meltdown style flaws, which seemingly caught Redmond, Intel, AMD and others off guard.
“Speculative execution side channel vulnerabilities require an industry response. To that end, Microsoft will share, under the principles of coordinated vulnerability disclosure, the research disclosed to us under this program so that affected parties can collaborate on solutions to these vulnerabilities,” said Misner.
Seeking out and reporting bugs is all very well and good if it’s done in a responsible and clear manner, something that doesn’t seem to have happened with the report that AMD’s Ryzen and Epyc chips are vulnerable to alleged critical flaws.
With a beefed-up bug bounty, Microsoft may go some way to mitigate poor practices in flaw reporting and exposure. µ