Microsoft has patched the Meltdown and Spectre hardware vulnerabilities. Although the company stated that it will introduce more mitigation measures in the coming months, it also tries to ensure that no exploitable vulnerabilities are targeted at its users. As a result, the software giant is launching a rewards program that offers huge bonuses to those who find new bugs and make them public to Microsoft.
There are four tiers in the Speculative Execution Bounty Program, as follows:
- Tier 1: New categories of speculative execution attacks, up to $250,000
- Tier 2: Azure speculative execution mitigation bypass, up to $200,000
- Tier 3: Windows speculative execution mitigation bypass, up to $200,000
- Tier 4: Instance of a known speculative execution vulnerability (such as CVE-2017-5753) in Windows 10 or Microsoft Edge. This vulnerability must enable the disclosure of sensitive information across a trust boundary, up to $25,000
In the end, researchers disclosed a known vulnerability instance in Windows 10 or Microsoft Edge, disclosed sensitive information on the border of trust and received a bonus of $25,000. The speculative execution of the attack channel vulnerability requires industry response. To this end, Microsoft will share the vulnerabilities discovered under this program based on the principle of vulnerability disclosure so that affected parties can cooperate on solutions to these vulnerabilities. Together with security researchers, Microsoft can build a more secure environment for its customers.
The new bug rewards program will be launched on March 14 and will continue until December 31, Microsoft said that if any vulnerability is found, all details will be shared with other companies to provide protection for all customers. This approach shows that Microsoft and its partners give top priority to these hardware vulnerabilities, even though the software giant is one of the first companies to launch reward programs for cart bugs.
Source: blogs.technet.microsoft.com
