Microsoft Introduces New Bug Bounties To Discover More Side Channel Vulnerabilities

Microsoft offered up some big cash rewards Thursday to intrepid bug hunters who can help discover the next Meltdown- and Spectre-style vulnerabilities, or ways Microsoft's products are still vulnerable to those known chip security flaws.

Side channel vulnerabilities of the kind that shocked the industry at the start of this year represent a new type of threat, and Microsoft is turning to its bug bounty program to recruit researchers.

"In recognition of that threat environment change, we are launching a bounty program to encourage research into the new class of vulnerability and the mitigations Microsoft has put in place," wrote Phillip Misner, principal security group manager for the Microsoft Security Response Center, on a Microsoft blog.

[Related: CRN Research: Partners Rank Red Hat, Microsoft For Their Spectre, Meltdown Responses]

Sponsored post

The new bounties are fair game until the end of this year. They are structured across four tiers.

Tier 1 focuses on new categories of attacks involving speculative execution side channels. Microsoft will pay up to $250,000 to anyone discovering the next incarnation of Meltdown and Spectre.

Tier 2 incentivizes researchers to figure out how to bypass the patches Microsoft has implemented in its Azure cloud to close Meltdown and Spectre vulnerabilities, with a bounty up to $200,000. Tier 3 does the same for Windows mitigations, and offers the same money.

And Tier 4 awards up to $25,000 to anyone who finds ways to siphon data across "trusted boundaries" in Windows 10 or the Microsoft Edge browser by exploiting Spectre or Meltdown.

"Speculative execution is truly a new class of vulnerabilities, and we expect that research is already underway exploring new attack methods," Misner said. The bounty program looks to encourage that research while making sure discoveries are safely disclosed in coordination with Microsoft and partners.

Microsoft will share, "under the principles of coordinated vulnerability disclosure", any knowledge the bug bounty program yields so technology companies across the industry can collaborate on solutions, Misner said.

"Together with security researchers, we can build a more secure environment for customers," he said.

While channel partners certainly are welcome to participate in such programs, it's usually only the largest systems integrators that hunt for such bounties—like Accenture through its FusionX cybersecurity division, said Ben Mead, cloud and infrastructure lead at Credera, a Dallas-based Microsoft Azure partner.

Mostly individual researchers and security research firms "tend to invest their time in this realm," Mead said.

Bounty programs have become common for major technology companies—a notable exception being Amazon—to turn up vulnerabilities before hackers can form exploits, Mead told CRN.

But there are many research firms that would rather operate in a "grey-market." Those companies identify, validate and often weaponize "zero-day" exploits without disclosing the vulnerabilities to manufacturers, especially if there's no payment system in place, or bounties are deemed too low, Mead said.

For that reason, the large tech vendors are stepping up the cash amounts offered by bounty programs.

Last March, Microsoft doubled its top bounty award, Google ramped its bounty awards by 50 percent, and Intel started paying researchers $30,000 for spotting critical hardware flaws.

Months after Intel established that program, a team of security researchers from Austria's Graz University of Technology reached out to the Santa Clara, Calif.-based semiconductor giant and let it know that they had found a design-level flaw in its chips.

Those vulnerabilities had actually been discovered independently months earlier by Jann Horn from Google Project Zero. They became known to the world in January 2018 as Meltdown and Spectre.

While research into mitigating the vulnerabilities had already been underway, Intel awarded the Austrian researchers a bug bounty for abiding by responsible disclosure guidelines and not making any premature revelations.

Six weeks after Meltdown and Spectre came to light, Intel said it was raising its bounty awards across the board and launching a limited-time program focused specifically on side-channel vulnerabilities, with awards up to $250,000.