Microsoft offers a huge cash reward to stop the next Meltdown or Spectre

Microsoft is looking to stamp out future major bugs along the lines of Spectre, with the company offering big money to hunt down these sort of flaws.

Microsoft’s new bug bounty program is specifically for ‘speculative execution side channel vulnerabilities’ like Spectre and Meltdown which affected Intel chips, as well as AMD and ARM processors in the case of the former.

The software giant observed that these represented a new class of vulnerabilities, and a major change in the threat environment, to which its reaction is this new program which will pay up to $250,000 (about £180,000, AU$320,000) for those who discover and disclose such bugs to Microsoft.

The top tier payment of up to $250,000 will be made for the discovery of entirely new categories of speculative execution attacks, with Microsoft paying up to $200,000 (about £145,000, AU$255,000) for the discovery of methods of bypassing Windows’ defenses against existing speculative execution flaws.

Those who find new spins on known speculative execution vulnerabilities with Windows 10 or Microsoft’s Edge browser will be able to bag a reward of up to $25,000 (about £18,000, AU$32,000).

Joint effort

Naturally, the hope is that Microsoft will be able to use such early warnings to concoct a fix before any possible vulnerability becomes public. The firm says it will share any findings and research with other affected companies to collaborate on fixes, because “speculative execution side channel vulnerabilities require an industry response”.

Of course, when it came to Spectre and Meltdown, despite collaboration beginning a good half-year before these holes became public knowledge, patching has still been a very haphazard affair. Indeed, fixes for many affected Intel CPUs still haven’t gone live.

Hopefully lessons will have been learned when it comes to future responses to any vulnerability of this category. But clearly, this is a positive step forward by Microsoft, although not an unsurprising one given the seriousness and potential impact of these sort of flaws, as we’ve seen this year.

Via The Inquirer