Microsoft has kicked off a bug bounty programme that could bring in between US$25,000 and US$250,000 to anyone able to find vulnerabilities similar to the now infamous Spectre and Meltdown.
Microsoft has kicked off a bug bounty programme that could bring in between US$ 25,000 and US$ 250,000 to anyone able to find vulnerabilities similar to the now infamous Spectre and Meltdown.
The programme will run through to December 2018 and Microsoft hopes it will spur interest in the discovery of speculative execution side-channel vulnerabilities.
“This bounty programme is intended as a way to foster that research and the coordinated disclosure of vulnerabilities related to these issues,” Microsoft said in a Technet blog.
The programme contains four bounty tiers with Tier 1 being the discovery of any new categories of speculative execution attacks paying up to US$ 250,000. Tier 2 would pay up to US$ 200,000 for any Azure speculative execution mitigation bypass; Tier 3 for unearthing Windows speculative execution mitigation bypass a bounty up to US$ 200,000 will be paid and Tier 4 will pay up to US$ 25,000 for those locating an instance of a known speculative execution vulnerability (such as CVE-2017-5753) in Windows 10 or Microsoft Edge. This vulnerability must enable the disclosure of sensitive information across a trust boundary.
The Spectre and Meltdown vulnerabilities CVE-2017-5753 (Spectre), CVE-2017-5754 (Meltdown), and CVE-2017-5715 (Spectre) became public knowledge in January. If left unpatched these kernel-level flaws found in Intel, and to a lesser extent in AMD and ARM processors, could allow for remote code execution and access of kernel-level memory.