Skip to main content
  1. Home
  2. Computing
  3. News

Microsoft will pay you up to $250,000 to find Spectre-like flaws

Mark Coppock
By

If you know how to test hardware and software and how to identify vulnerabilities in them, then there’s some real money to be made. Some manufacturers and developers will pay tons of cash to anyone who can pick out defects in their products that can lead to system breaches — all it takes is some know-how and a little patience. Microsoft is one such company, and it’s now paying up to $250,000 for identifying vulnerabilities related to Meltdown and Spectre.

In case you’ve forgotten, these two vulnerabilities have been causing quite a stir over the last several months. They impact almost all CPUs in use today to one extent or another, including Intel, AMD, and ARM processors going back a decade or so. Fixing the bugs, which involve “speculative execution” that is used to speed up processing, has caused system crashes, reboots, and poor performance, and Intel in particular has struggled to create a stable solution.

Recommended Videos

Microsoft has now added those kinds of vulnerabilities to its bug bounty program. Phillip Misner, principal security group manager for Microsoft’s security response center, describes the new bounty:

Related

“Speculative execution is truly a new class of vulnerabilities, and we expect that research is already underway exploring new attack methods. This bounty program is intended as a way to foster that research and the coordinated disclosure of vulnerabilities related to these issues. Tier 1 focuses on new categories of attacks involving speculative execution side channels.”

There are four tiers in the Speculative Execution Bounty Program, as follows:

  • Tier 1: New categories of speculative execution attacks, up to $250,000
  • Tier 2: Azure speculative execution mitigation bypass, up to $200,000
  • Tier 3: Windows speculative execution mitigation bypass, up to $200,000
  • Tier 4: Instance of a known speculative execution vulnerability (such as CVE-2017-5753) in Windows 10 or Microsoft Edge. This vulnerability must enable the disclosure of sensitive information across a trust boundary, up to $25,000

Microsoft will be sharing whatever research is uncovered by the bounty program. This will allow collaboration between all of the involved parties to create solutions to the vulnerabilities and create a more secure environment for users.

If you’re someone who knows how to dig into systems and find flaws, then you’ll want to take a look at Microsoft’s standard terms and conditions for its bug bounty programs. There’s some real money to be made, and so you can gain some financial benefit to go with the good feelings that come with bringing some better security to our computing lives.

Editors' Recommendations

Topics
Mark Coppock
Mark Coppock
Computing Writer
Mark has been a geek since MS-DOS gave way to Windows and the PalmPilot was a thing. He’s translated his love for…
Microsoft Surface Laptop 3 vs. HP Spectre x360 13
Surface Laptop 2 Review

Microsoft is most responsible for the advent of the modern 2-in-1, in which laptops can morph from clamshell to tablet (and even a couple of modes in between). That made the company's refreshed Surface Laptop 3 an odd duck when compared to a 2-in-1 like the HP Spectre x360 13.

Both of these machines received updates at around the same time, with the Spectre being the more significant. Which one is better at its appointed tasks? In this Microsoft Surface Laptop 3 versus HP Spectre x360 13 comparison, we're going to find out.
Design

Read more
HP Spectre x360 vs. Microsoft Surface Book 2
HP

One of the hottest high-end laptop comparisons we made in 2017 was pitting the HP Spectre x360 against the Microsoft Surface Book 2. Both are seriously top-tier notebooks with a ton of fantastic features and enough performance to rival even decently-powerful desktops in a variety of applications. While the Surface Book 2 may have won the day, that may not be the case forever. In 2018, HP came back with a vengeance with a second generation of its Spectre x360 15 and further built upon that design in late 2019.

We're covering the 2018 Spectre x360 in this comparison. If you want to check out the latest versions of both of these laptops, make sure to read our HP Spectre x360 13 (late 2019) review and Microsoft Surface Book 3 review.

Read more
Microsoft’s ‘Pluton’ could bring Xbox protections to PC CPUs
microsoft pluton chips pcs more secure project

Microsoft is teaming up with Intel, AMD, and Qualcomm to work on a new security chip that will be integrated directly into the CPU die on Windows PCs. Code-named "Pluton," the chip aims to help make upcoming laptops and desktops more secure, and prevent attacks or security exploits like Spectre and Meltdown, which plagued the PC industry in 2018.

According to Microsoft, this new "Pluton" chip is based on a chip-to-cloud technology, which is already seen in Xbox game consoles and Microsoft's Azure Sphere. Essentially, that means the chip is able to eliminate the bus interface between a laptop or desktop's CPU and the Trusted Platform Module (TPM), where Windows stores security keys and other things to verify the integrity of the system.

Read more