1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Microsoft will pay up to $250,000 for the 'coordinated disclosure' of Spectre and Meltdown-like...

By Polycount
Mar 15, 2018
Post New Reply
  1. In the wake of the recent discovery of two significant CPU hardware architectural flaws which can use "speculative execution" to swipe personal data from a victim's computer. We have a full write-up on the situation available here but suffice to say the exploits, officially dubbed Meltdown and Spectre, have caused quite a few headaches for major tech companies.

    Intel, in partnership with Microsoft and other companies, has rushed to roll out a number of software patches to address the flaws with some mixed results but Microsoft isn't content to rest on their laurels. To ensure similar exploits do not go unchecked in the future, the software giant has announced a new bug bounty program focused on speculative execution attacks and vulnerabilities.

    This program, which will run until December 31, 2018, promises a payout of "Up to $250,000" for the "coordinated disclosure" of new attacks similar to Spectre and Meltdown. The bounty program is separated into four "tiers" based on the severity of a given researcher's discovery.

    For example, tier 1 discoveries include "New categories of speculative execution attacks" and offer payouts of up to $250,000 whereas tier 4 discoveries include "[Instances] of a known [speculative execution vulnerability] in Windows 10 or Microsoft Edge" and will only offer payouts of up to $25,000.

    Microsoft is undoubtedly hoping these significant monetary incentives will deter researchers from releasing their discoveries into the wild before companies like Intel and AMD can come up with plans to address them.

    Permalink to story.

     
  2. It is a step in the right direction, by not prosecuting security researchers for doing their investigations (such as pentesting, reverse engineering obfuscated code etc), but as long as Zerodium and the likes are paying more for exploits it is an uphill battle. Perhaps if big corps weren't using the approach of "security through obscurity", such as closed source software with obfuscated code, we would stand a better chance.

    Also the once a month security updates from micro$oft do not help users much...
     

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...