Microsoft introduced a new bug bounty program meant to encourage researchers to discover new speculative execution side channel vulnerabilities--such as the infamous Meltdown and Spectre flaws revealed in January--so it can help patch the security problems.
Companies often rely on bug bounty programs to discover flaws in their products' security. The practice encourages researchers to disclose their findings to the companies instead of selling, exploiting, or giving away the vulnerabilities themselves. Instead of profiting by compromising people's security, the researchers are able to make some money in exchange for helping improve the products they study. It's pretty close to a win-win.
Yet these programs rarely offer rewards for just any miscellaneous type of vulnerability. Companies are often interested in specific aspects of their products and pay out differently based on the kind of vulnerability a researcher discloses. Microsoft's decision to join Intel in launching a bug bounty program dedicated specifically to speculative execution side channel vulnerabilities shows that it believes these flaws are worth paying to learn about.
Microsoft explained in a blog post:
Conventional software vulnerabilities are well-understood and are relatively easy to perform root cause analysis on (we even have automation for many cases, see VulnScan). Speculative execution side channels, on the other hand, represented a fundamentally new hardware vulnerability class with no established process for determining their severity and their impact on existing software security models. To create this process, we and others in the industry needed to thoroughly research speculative execution side channels and establish a taxonomy and framework for reasoning about their effects and possible mitigations.
The company also explained the various types of vulnerabilities it hopes researchers will submit through the program. These range from preventing speculation techniques and nixing sensitive information from memory to removing the channels of communication used by these attacks. Microsoft wants researchers to share their findings whether they're found in Arm, AMD, or Intel processors. (Or, in some cases, perhaps all three.)
Here's what Microsoft is willing to pay researchers via this program:
| Tier | Payout (USD) |
|---|---|
| 1: New categories of speculative execution attacks | Up to $250,000 |
| 2: Azure speculative execution mitigation bypass | Up to $200,000 |
| 3: Windows speculative execution mitigation bypass | Up to $200,000 |
| 4: instance of a known speculative execution vulnerability (Such as CVE-2017-5753) in Windows 10 or Microsoft Edge. This vulnerability must enable the disclosure of sensitive information across a trust boundary | Up to $25,000 |
