There’s a new Microsoft bug bounty program. Named “speculative execution bounty,” the program seeks to fight back against the vulnerabilities responsible for Spectre and Meltdown incidents. As speculative execution side-channel attacks are so new to the cybersecurity world, there is a great deal of research that needs to be done. The hope of this new Microsoft bug bounty program is to contribute to this ongoing research.
The speculative execution bounty started March 14 and is going to continue until December 31. According to a Microsoft blog post, there are four tiers of rewards for completing specific tasks. Tier 1 pays the most at a maximum reward of $250,000 for “new categories of speculative execution attacks.” Tier 2 will at most reward $200,000 for uncovering “Azure speculative execution mitigation bypass.” At Tier 3, the payout maxes out at $200,000 and seeks to reward bounty hunters that find “Windows speculative execution mitigation bypass.” Tier 4 has a max payout of $25,000 and rewards those who find existing speculative execution vulnerabilities in Windows 10 or Microsoft Edge.
This bug bounty program is not the only one that seeks out speculative execution vulnerabilities (Intel released one last month). Ever since Spectre and Meltdown, the cybersecurity community and the tech world as a whole have been doing their due diligence to prevent major incidents like those from reoccurring. This attitude is summed up at the end of the bug bounty announcement by Phillip Misner, principal security group manager at the Microsoft Security Response Center:
Speculative execution side-channel vulnerabilities require an industry response. To that end, Microsoft will share, under the principles of coordinated vulnerability disclosure, the research disclosed to us under this program so that affected parties can collaborate on solutions to these vulnerabilities. Together with security researchers, we can build a more secure environment for customers.
This is the attitude that needs to prevail for all of us in this industry if we are going to stop these attacks in the future.