Microsoft Debuts $250,000 Bug Bounty for Spectre/Meltdown-Style Flaws

Microsoft has launched a limited-time bounty program for speculative execution side channel vulnerabilities – the generic term for flaws such as Spectre and Meltdown.

The move comes as Intel launches the “virtual fences” initiative, to address such vulnerabilities in hardware.

Spectre and Meltdown comprise three variants (two Spectre and one Meltdown) affecting multiple CPU hardware implementations, which can be described as “side channel” attacks that allow attackers to steal passwords, customer data, IP and more stored in the memory of programs running on a victim’s machine. They work across PCs, mobile devices and in the cloud.

“This new class of vulnerabilities was disclosed in January 2018 and represented a major advancement in the research in this field,” said Phillip Misner, principal security group manager for the Microsoft Security Response Center, in a post. “In recognition of that threat environment change, we are launching a bounty program to encourage research into the new class of vulnerability and the mitigations Microsoft has put in place to help mitigate this class of issues.”

Microsoft’s bounty will be open until 31 December 2018. New categories of speculative execution attacks will pay up to $250,000, and Windows and Azure speculative execution mitigation bypass flaws will earn up to $200,000. Instances of a known speculative execution vulnerability in Windows 10 or Microsoft Edge that enables the disclosure of sensitive information across a trust boundary will earn up to $25,000.

“Speculative execution is truly a new class of vulnerabilities, and we expect that research is already underway exploring new attack methods,” said Misner. “This bounty program is intended as a way to foster that research and the coordinated disclosure of vulnerabilities related to these issues.”

The move comes after Intel CEO Brian Krzanich detailed virtual fences architectural changes to the company’s hardware design.

Intel has already released microcode updates for all Intel products launched in the past five years that require protection against side-channel vulnerabilities. While variant one will continue to be addressed via software mitigations, the hardware changes will address variants two and three. To wit, Intel has redesigned parts of its processor to introduce new levels of protection through partitioning.

“Think of this partitioning as additional 'protective walls' between applications and user privilege levels to create an obstacle for bad actors,” said Krzanich in a blog.

The changes will begin with the next-generation Intel Xeon Scalable processors (code-named Cascade Lake), as well as the 8th Generation Intel Core Processors expected to ship in the second half of 2018.

Intel also launched a side-channel bug bounty earlier in the year, also valid through 31 December. Flaws rated from 9 to 10 on the Common Vulnerability Scoring System (CVSS) scale will pay out up to $250,000; those from 7 to 8.9 will pay up to $100,000; and lower-severity issues will pay up to $20,000.

“We will continue to evolve the program as needed to make it as effective as possible and to help us fulfill our security-first pledge,” said Rick Echevarria, VP and GM of platform security, in a blog.