Skip to main content

Microsoft will pay you up to $250,000 to find Spectre-like flaws

If you know how to test hardware and software and how to identify vulnerabilities in them, then there’s some real money to be made. Some manufacturers and developers will pay tons of cash to anyone who can pick out defects in their products that can lead to system breaches — all it takes is some know-how and a little patience. Microsoft is one such company, and it’s now paying up to $250,000 for identifying vulnerabilities related to Meltdown and Spectre.

In case you’ve forgotten, these two vulnerabilities have been causing quite a stir over the last several months. They impact almost all CPUs in use today to one extent or another, including Intel, AMD, and ARM processors going back a decade or so. Fixing the bugs, which involve “speculative execution” that is used to speed up processing, has caused system crashes, reboots, and poor performance, and Intel in particular has struggled to create a stable solution.

Recommended Videos

Microsoft has now added those kinds of vulnerabilities to its bug bounty program. Phillip Misner, principal security group manager for Microsoft’s security response center, describes the new bounty:

“Speculative execution is truly a new class of vulnerabilities, and we expect that research is already underway exploring new attack methods. This bounty program is intended as a way to foster that research and the coordinated disclosure of vulnerabilities related to these issues. Tier 1 focuses on new categories of attacks involving speculative execution side channels.”

There are four tiers in the Speculative Execution Bounty Program, as follows:

  • Tier 1: New categories of speculative execution attacks, up to $250,000
  • Tier 2: Azure speculative execution mitigation bypass, up to $200,000
  • Tier 3: Windows speculative execution mitigation bypass, up to $200,000
  • Tier 4: Instance of a known speculative execution vulnerability (such as CVE-2017-5753) in Windows 10 or Microsoft Edge. This vulnerability must enable the disclosure of sensitive information across a trust boundary, up to $25,000

Microsoft will be sharing whatever research is uncovered by the bounty program. This will allow collaboration between all of the involved parties to create solutions to the vulnerabilities and create a more secure environment for users.

If you’re someone who knows how to dig into systems and find flaws, then you’ll want to take a look at Microsoft’s standard terms and conditions for its bug bounty programs. There’s some real money to be made, and so you can gain some financial benefit to go with the good feelings that come with bringing some better security to our computing lives.

Mark Coppock
Mark Coppock is a Freelance Writer at Digital Trends covering primarily laptop and other computing technologies. He has…
Microsoft Edge’s latest feature keeps you even more secure when browsing
Microsoft Edge browser on a computer screen.

The latest version of Microsoft Edge has a new hidden feature to keep you secure when browsing online. Known as "Super Duper Secure Mode," the feature improves the performance of websites and disables a browser engine commonly abused by hackers.

According to Microsoft, Super Duper Secure Mode works in two ways, balanced and strict. Balanced will learn what websites you use and trust them to use Just in Time Engine (JIT), which speeds up tasks in JavaScript. Strict, meanwhile, can break some websites, but will disable the Just in Time Engine for better security. Edge users can also add their own exceptions as they see fit.

Read more
Microsoft Start is a new way for you to stay up to date on your news, interests
microsoft announces start microsodt

Microsoft is launching Microsoft Start, a personalized news feed and collection of informational content from publishers, tailored to your interests.

Available on the web today, and also as a mobile app, the experience should feel pretty familiar if you're used to Microsoft News or MSN. Building on those services, Microsoft Start brings new technology to your content experiences. That includes leveraging Microsoft’s latest advancements in A.I. and machine learning, along with human moderation to bring you relevant news articles.

Read more
Microsoft Teams will now protect you against phishing attacks
A close-up of someone using Microsoft Teams on a laptop for a videoconference.

One of the dangers of the internet involves clicking links. Even if it appears to be from a trusted source, you never know where a URL might take you once you visit it. That's why Microsoft is now rolling out phishing protections in Microsoft Teams, so you can worry less about hackers stealing your sensitive information with look-alike links and web pages.

With remote and hybrid work models seeing an increase and Teams use booming over the last year, Microsoft says this latest Teams feature is all about ensuring Teams is "the most secure real-time collaboration platform." Officially known as Safe Links, the new Teams feature is powered by Microsoft Defender for Office 365. Under the hood, it works by scanning a URL once it is clicked in Teams to make sure it is legitimate and trusted.

Read more