New Microsoft Bug Bounty Program Looks To Squash The Next Spectre, Meltdown

In the wake of the Meltdown and Spectre flaws, Microsoft has rolled out a new bug bounty program targeting speculative execution side channel vulnerabilities.

The limited time program is open until December  31, and offers up to $250,000 for identifying new categories of speculative execution attacks that Microsoft and other industry partners are not yet aware of.

Speculative execution side channels are a hardware vulnerability class that affects CPUs from multiple manufacturers. The vulnerabilities were thrust into the spotlight in January after it was disclosed that there are three variants of the issue, dubbed Spectre and Meltdown, that could potentially enable hackers to access users’ data.

These security flaws impact processors across the board, including Intel, ARM and AMD. Microsoft, for its part, has worked to release firmware and software updates for its devices featuring these CPUs.

“In recognition of that threat environment change, we are launching a bounty program to encourage research into the new class of vulnerability and the mitigations Microsoft has put in place to help mitigate this class of issues,” Phillip Misner, principal security group manager at Microsoft, said in a post.

Microsoft’s bug bounty program features a second tier that offers up to $200,000 to find speculative execution side channel attacks that can be used to read sensitive memory that is not allocated to an attacker’s virtual machine on Azure.

Another tier of the program offers up to $200,000 to find a novel method of bypassing speculative execution mitigations on Windows. That could include a method of bypassing Windows mitigations for “branch target injections” like Spectre variant 2 (or CVE-2017-5715) or “rogue data cache load” like the Meltdown variant (or CVE-2017-5754). “These bypasses must demonstrate that it is possible to disclose sensitive information when these mitigations are present and enabled,” according to Microsoft.

The company is also offering up to $25,000 to find instances of a known speculative execution vulnerability in Windows 10 or Microsoft Edge. That includes exploitable instances of Spectre variant 1 (CVE-2017-5753).

Microsoft has kept up with mitigations around Spectre and Meltdown after the vulnerabilities were first disclosed in January. In March, the company released a myriad of software and firmware/microcode updates, including protected updates for its x86 version of Windows 10 and microcode updates for devices running the Windows 10 Fall Creators Updates and Intel’s sixth-gen Skylake processors.

Most recently, the company offered new updates against Meltdown and Spectre with new releases on this month’s Patch Tuesday for PCs running x86 versions of Windows 7 and 8.1 as well as Server 2008 and 2012.

Microsoft isn’t alone in offering bounties to look for new side channel vulnerabilities – last month, Intel also launched a new bug bounty program focused specifically on side channel vulnerabilities similar to Spectre and Meltdown, with potential awards for disclosures totaling up to $250,000.