Microsoft is offering a new bug bounty program in response to all-around criticism that the company does not appear to have fully addressed a pair of major vulnerabilities that hit Windows-based systems and devices worldwide a few months ago.
The Redmond, Washington-headquartered tech giant has now thrown the challenge back at the developers and other technical experts with the announcement of a hefty reward for speculative execution bugs.
In particular, Microsoft has targeted this bug bounty reward towards the Spectre and Meltdown vulnerabilities reported in January, related to the CPU design.
Highest Reward for Reporting Vulnerabilitiesis $250,000
For speculative execution vulnerabilities that have not been reported before, the reward would be $250,000, which is the highest amount. If someone can come with ways to bypass the existing Microsoft mitigations, then that person will be rewarded with $200,000.
Where a system operating on Windows OS and the most recent update patches have been installed in it, if the information disclosure is reported, then this second-level reward will be payable. Similarly, other types of bugs found in the Azure platform will also become eligible for a reward of $200,000 under the new bug bounty program.
Moving down the ladder, a reward of $25,000 is being offered to anyone that can spot fresh vulnerabilities within Windows 10 or the Edge browser.
The provision stipulated by Microsoft for claiming this reward is that the challenger should be able to establish that their exploit led to the “the disclosure of sensitive information across a trust boundary.”
Detailed Terms and Conditions for Reporting Vulnerabilities
Microsoft has published a detailed statement explaining the speculative execution bug bounty program and the terms and conditions under which the submissions would be evaluated and accepted.
Some of the criteria listed by Microsoft in its statement include: “reliable, reasonable, impactful, latest version and novel.” Each of these criteria has been explained in detail. Under the “latest version” item, for example, it is stipulated that there must be demonstrable evidence that the vulnerabilities have been detected in a system that runs on the latest version of their products.
This is followed by a chart showing the different categories of the bug bounty program. On the right column of this table, the range of amounts designated as rewards are mentioned. The bottom portion has the range $5,000 to $25,000 and the top part, as already mentioned, offers $100,000 to $250,000, with two more tiers in between.
Microsoft has further outlined the types of submissions which would be considered ineligible for the reward under this bug bounty program. These include the vulnerabilities detected in Internet Explorer or in Adobe Flash.
Intel Also Working on Redesigning Chipsets
While Microsoft appears to be confident that on systems that run on its software, the vulnerabilities earlier reported to be attributable to defects in the design of the main processor (particularly Intel) have been adequately addressed through patches. Microsoft also maintains that Windows 10 and Edge are safe from the Spectre or Meltdown vulnerabilities.
Meanwhile, Intel is working on redesigning the chipsets implicated in the attacks. According to a recent news release, Intel’s next generation i8 Core processors will have hardware protection integrated into them to repel any attacks by malware. The same way, the Xeon processors will also have the design changes incorporated in them. Besides these, the chip maker is also deploying firmware to tackle the vulnerabilities in the existing processors.
All factors considered, the emergence of the risks associated with the hardware design has shaken the industry to a great extent. The device manufacturers using the processors were put in a tough position regarding security. This is why any efforts by Intel and AMD to remedy the situation at the earliest will come as a great relief to all device manufactures as well as to users at large.
For those interested, the new bug bounty program is open until December 31, 2018. Entries may be submitted through email to the company’s security department.