Microsoft kicks off bounty program for speculative execution bugs

Waterfall Security: Trust issues with your firewalls? Eliminating vulnerabilities that accompany firewalls is a click away.

Microsoft wants security researchers to search for and report speculative execution side channel vulnerabilities (a hardware vulnerability class that affects CPUs from multiple manufacturers), as well as bugs that can be misused to bypass Windows and Azure Spectre and Meltdown mitigations.

speculative execution bugs

For their successful efforts, the company is ready to pay out as much as $250,000.

A new bug bounty

The bounty program for speculative execution side channel vulnerabilities was announced on Wednesday and will be open until December 31, 2018.

“Speculative execution is truly a new class of vulnerabilities, and we expect that research is already underway exploring new attack methods. This bounty program is intended as a way to foster that research and the coordinated disclosure of vulnerabilities related to these issues,” said Phillip Misner, Principal Security Group Manager at Microsoft Security Response Center.

He also noted that speculative execution side channel vulnerabilities require an industry response, so Microsoft will share the research disclosed to them under this program with affected parties and collaborate with them to solve the vulnerabilities.

The company wants to know about a variety of bugs and invites submissions on:

  • A novel category of speculative execution attacks that Microsoft and other industry partners are not aware of.
  • A novel method of bypassing a mitigation imposed by a hypervisor, host or guest using a Speculative Execution Side Channel attack. For example, this could include a technique that can read sensitive memory from another guest on the attacker’s virtual machine on Azure.
  • A novel method of bypassing a mitigation imposed by Windows using a Speculative Execution Side Channel attack. “Specifically, this would involve bypassing the Windows mitigations for CVE-2017-5715 (branch target injection) and CVE-2017-5754 (rogue data cache load). These bypasses must demonstrate that it is possible to disclose sensitive information when these mitigations are present and enabled,” the company noted.
  • A novel method of bypassing a mitigation imposed by the Microsoft Edge using a Speculative Execution Side Channel attack. For example, this could include a technique that can read sensitive memory from the Microsoft Edge content.

Rewards

For the first categories, the amount of the bounty can vary between $100,000 and $250,000; for the second and third $100,000 and $200,000; and for the last one $5,000 and $25,000.

Naturally, the final amount awarded will depend on how applicable the side channel attack is, how difficult it is to execute, how reliable the exploit is, and how impactful the attack is.

For more details about the bug bounty program go here.

With this announcement, Microsoft follows in the footsteps of Intel, which started a similar bug bounty program last month and urged researchers to look for vulnerabilities that are rooted in Intel hardware but can be exploited through software.