Microsoft Launches Bounty Program For Speculative Execution Side Channel Vulnerabilities (betanews.com) 21
An anonymous reader shares a report: Microsoft has launched a bug bounty program that will reward anyone who finds the next Meltdown or Spectre vulnerability. Known as speculative execution side channel vulnerabilities, Microsoft is willing to reward anyone who reports bugs that could cause problems like earlier in the year. The rewards on offer range from $5,000 up to $250,000 depending on the severity of the vulnerability, and the bounty program runs until the end of 2018. Microsoft says that it will operate under the principles of coordinated vulnerability disclosure.
Re: (Score:3)
Well there are a few reasons.
1. Still in terms of PC's Microsoft is #1. So such bugs will negatively affect them. How many of these bugs and crashes we blamed on windows sucking so badly when it was a poorly made driver or an odd 3rd party hardware added in. (where same problems can happen with other systems such as Linux, and we happily blame the hardware vendor for not being open enough)
2. They can get lead time to make a patch or work around. For large software systems, that affect millions/billions
Re: (Score:2)
Because these attacks cause software vulnerabilities? And how exactly are these bounties “interfering” with anything?
Totally, Like, Earlier? (Score:2)
"Microsoft is willing to reward anyone who reports bugs that could cause problems like earlier in the year"
Like, earlier in the year, like, January? February? How early in the year are we talking?
Re: (Score:2)
"Microsoft is willing to reward anyone who reports bugs that could cause problems like earlier in the year"
Like, earlier in the year, like, January? February? How early in the year are we talking?
I'm in a cynical mood today, but given the forces involved, Microsoft and Intel, and the money involved, some little guy researching and reporting is as likely to be thrown in jail as catch the bounty.
I woudn't touch this unless there was a contract indemnifying me from any and all prosecution during the length of my research. Otherwise TCGFT's.
Re: (Score:2)
Like every other security researcher have in the past you mean?
(/s if required)
Re: (Score:2)
This is easy to say, but hard to actually get without putting ones self in some serious danger. It's far easier to get the $250K from MS, and then do speaker gigs around the world for $10k/time.
That said, telling Microsoft before telling anyone else seems like telling the wolf when Red Riding Hood is due home. It makes me wonder why Microsoft has/had so much to lose from such bugs...? Azure that bad, is it?
Re: (Score:2)
Sure but the selling exploits on the black market comes with the potential for criminal prosecution. Not everyone is unethical and a criminal like you.
Re: (Score:2)
Hmm... 250k plus invitations to all security conferences to speak there, vs. having to deal with the mob, and a couple three-letter agencies that are not only pissed at me but also have a good reason to lock me up...
I can't help it but the decision seems easy.
Which principles? (Score:2)
Coordinated with whom, the gov?
Ah Slashdot (Score:2)
Oh wait, Eveil M$ wants people to file bugz? And reward them for doing so? EEIVL!!!111