There are four tiers in the Speculative Execution Bounty Program, as follows:
- Tier 1: New categories of speculative execution attacks, up to $250,000
- Tier 2: Azure speculative execution mitigation bypass, up to $200,000
- Tier 3: Windows speculative execution mitigation bypass, up to $200,000
- Tier 4: Instance of a known speculative execution vulnerability (such as CVE-2017-5753) in Windows 10 or Microsoft Edge. This vulnerability must enable the disclosure of sensitive information across a trust boundary, up to $25,000
In the end, researchers disclosed a known vulnerability instance in Windows 10 or Microsoft Edge, disclosed sensitive information on the border of trust and received a bonus of $25,000. The speculative execution of the attack channel vulnerability requires industry response. To this end, Microsoft will share the vulnerabilities discovered under this program based on the principle of vulnerability disclosure so that affected parties can cooperate on solutions to these vulnerabilities. Together with security researchers, Microsoft can build a more secure environment for its customers.
The new bug rewards program will be launched on March 14 and will continue until December 31, Microsoft said that if any vulnerability is found, all details will be shared with other companies to provide protection for all customers. This approach shows that Microsoft and its partners give top priority to these hardware vulnerabilities, even though the software giant is one of the first companies to launch reward programs for cart bugs.
Source: blogs.technet.microsoft.com