To further curb potential security threats introduced by the January Spectre and Meltdown vulnerability findings, Microsoft has announced that they’ll be announcing a limited-time only bounty program specifically for “speculative execution” flaws which are exploits in similar nature to Meltdown/Spectre. Up to $250,000 in rewards are available with the maximum payout awarded to those who will discover Tier 1 class vulnerabilities which are new categories of speculative execution attacks. The bounty program is open until the end of the year.
Intel has announced a similar program earlier in the year which also dedicates special rewards to those who can discover side channel vulnerabilities with the rewards program being made available to the public. Microsoft intends to utilize the discoveries and information gathered in this program as contributed by those capable to help them bolster and reinforce security and prepare their software for attacks all the while conserving internal resources in finding the exploits themselves.
Tier | Payout (USD) |
Tier 1: New categories of speculative execution attacks | Up to $250,000 |
Tier 2: Azure speculative execution mitigation bypass | Up to $200,000 |
Tier 3: Windows speculative execution mitigation bypass | Up to $200,000 |
Tier 4: Instance of a known speculative execution vulnerability (such as CVE-2017-5753) in Windows 10 or Microsoft Edge. This vulnerability must enable the disclosure of sensitive information across a trust boundary | Up to $25,000 |