The January reveal of the Meltdown and Spectre speculative-execution attacks sent ripples through the entire computer industry. Part of Intel's response was a boost in bug-hunting bounties up to a cool quarter-million dollars for finding side-channel vulnerabilities. Microsoft has now joined the party and ponied up a $250,000 bounty of its own for the identification of speculative-execution flaws. Like Intel's payout bump, Microsoft's program has a ticking clock—it'll end when 2019 comes around.
Microsoft's payout program has four tiers, shown in the table below. The biggest award is handed for discovering a new class of speculative-execution attacks. The company has a separate blog post with more technical information about the known classes for that type of bug. The new bounty program augments existing programs, including one that awards as much as $250,000 for discovery of vulnerabilities in Hyper-V.
|Tier||Maximum payout (USD)|
|1: New categories of speculative execution attacks||$250,000|
|2: Azure speculative execution mitigation bypass||$200,000|
|3: Windows speculative execution mitigation bypass||$200,000|
|4: Instance of a known speculative execution vulnerability (such as CVE-2017-5753)
in Windows 10 or Microsoft Edge. This vulnerability must enable the disclosure of
sensitive information across a trust boundary
Microsoft hopes that large cash awards will encourage security researchers to come forward with their discoveries so that "affected parties can collaborate on solutions to these vulnerabilities." This type of response would stand in stark contrast to the way CTS Labs handled its discovery of alleged flaws in AMD processors and chipsets earlier this week.