Microsoft launches bug bounty program to find Spectre/Meltdown-like flaws

Bug hunters can earn up to $250,000
Author:
Publish date:
bug bounty

Microsoft has launched a new bug bounty programme to find major security bugs like the Meltdown and Spectre vulnerabilities.

The vendor is putting up a $250,000 reward to bug hunters who are able to find new speculative execution flaws and attack vectors. Running until the end of the year, Microsoft is hoping to bolster its defences in the wake of the recent flaws.

"Speculative execution is truly a new class of vulnerabilities, and we expect that research is already underway exploring new attack methods," said Phillip Misner principal security group manager at the Microsoft Security Response Center. "This bounty program is intended as a way to foster that research and the coordinated disclosure of vulnerabilities related to these issues."

Misner added: "Speculative execution side channel vulnerabilities require an industry response. To that end, Microsoft will share, under the principles of coordinated vulnerability disclosure, the research disclosed to us under this program so that affected parties can collaborate on solutions to these vulnerabilities.”

The bounties are split into four tiers. At the bottom of the spectrum, Tier 4 offers $25,000 or new versions of known speculative execution vulnerabilities. However, quarter-of-a-million dollar rewards are on offer for uncovering new categories of speculative execution attacks. Microsoft will also share any findings the new bug bounty throws up to help the industry get ahead of Spectre and Meltdown style flaws, which seemingly caught Redmond, Intel, AMD and others off guard.

In the wake of the Spectre and Meltdown bugs, PCR asked industry experts what needs to be done to prevent future vulnerabilities. 

Related