Microsoft offers $250,000 bounty for speculative-execution bugs

The January reveal of the Meltdown and Spectre speculative-execution attacks sent ripples through the entire computer industry. Part of Intel's response was a boost in bug-hunting bounties up to a cool quarter-million dollars for finding side-channel vulnerabilities. Microsoft has now joined the party and ponied up a $250,000 bounty of its own for the identification of speculative-execution flaws. Like Intel's payout bump, Microsoft's program has a ticking clock—it'll end when 2019 comes around.

Microsoft's payout program has four tiers, shown in the table below. The biggest award is handed for discovering a new class of speculative-execution attacks. The company has a separate blog post with more technical information about the known classes for that type of bug. The new bounty program augments existing programs, including one that awards as much as $250,000 for discovery of vulnerabilities in Hyper-V.

Tier Maximum payout (USD)
1: New categories of speculative execution attacks $250,000
2: Azure speculative execution mitigation bypass $200,000
3: Windows speculative execution mitigation bypass $200,000
4: Instance of a known speculative execution vulnerability (such as CVE-2017-5753)

in Windows 10 or Microsoft Edge. This vulnerability must enable the disclosure of

sensitive information across a trust boundary

$25,000

Microsoft hopes that large cash awards will encourage security researchers to come forward with their discoveries so that "affected parties can collaborate on solutions to these vulnerabilities." This type of response would stand in stark contrast to the way CTS Labs handled its discovery of alleged flaws in AMD processors and chipsets earlier this week.

Comments closed
    • ronch
    • 2 years ago

    Hey look here, CTS! Wanna make some quick cash?

    • NovusBogus
    • 2 years ago

    It’s the smart move. Not just speculative execution, but hardware exploits in general. Hardware level security was largely ignored for many years, and now that the gates are busted wide open the next few years are guaranteed to be pretty interesting.

    • Neutronbeam
    • 2 years ago

    I speculate that Microsoft WIndows, Azure and Microsoft Edge will have execution bugs, both now and in the future. Okay, where’s my money MSFT?

      • morphine
      • 2 years ago

      Man, good humor isn’t appreciated. Bad humor doubly so.

        • pirate_panda
        • 2 years ago

        He was executed for speculating, just as Microsoft warned. That bounty was apparently Dead or Alive.

          • ronch
          • 2 years ago

          I guess Microsoft took that branch, huh?

      • Wirko
      • 2 years ago

      You seem to be a little out of order today.

      • jihadjoe
      • 2 years ago

      Your joke sounds like the first CTS Labs announcement.

        • ig0012
        • 2 years ago

        BTW, given AMD’s response to CTS announcement (i.e. “we will investigate merrit of the findings), not sure if AMD even interested in bug findings…

          • LostCat
          • 2 years ago

          So you were hoping they wouldn’t investigate them then?

        • ludi
        • 2 years ago

        I’ll go register “NeutronbeamFlaws.com” right now.

Pin It on Pinterest

Share This