Microsoft offers bug bounties for Spectre, Meltdown flaws

Microsoft is offering bug bounties for a limited time to security researchers who uncover speculative execution side channel vulnerabilities like Spectre and Meltdown.

The company today said the program was a recognition of the change in threat environment that occured when Google revealed the serious processor flaws that affect Intel, AMD and ARM chips in January this year.

It is hoping the program will "encourage research into the new class of vulnerability and the mitigations Microsoft has put in place to help mitigate this class of issues".

The program will only be open until December 31 this year.

Researchers can earn up to US$250,000 (A$317,227) for finding new categories of speculative execution attacks.

Up to US$200,000 is on offer for flaws that bypass Spectre/Meltdown mitigations for Microsoft's Azure and Windows products, and up to US$25,000 can be earning for finding Spectre/Meltdown flaws in Windows 10 or Microsoft Edge.

Microsoft said it would share research disclosed under the program to affected parties so they can collaborate on solutions.

"Speculative execution is truly a new class of vulnerabilities, and we expect that research is already underway exploring new attack methods," Microsoft said.

"This bounty program is intended as a way to foster that research and the coordinated disclosure of vulnerabilities related to these issues."

Intel similarly opened a nine-month bug bounty program for Spectre/Meltdown-like flaws last month.

It is also offering up to US$250,000 for the most serious discoveries.

"We expect this new hardware vulnerability class to be the subject of further research as we’ve witnessed in the past with other vulnerability classes," Microsoft said in a separate post.

"Going forward, we recommend that the software industry view these issues as a new vulnerability class that may require software changes in order to help mitigate (e.g. like buffer overruns, type confusions, use after frees, and so on)."