Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Launches Bounty Program For Speculative Execution Side Channel Vulnerabilities (betanews.com)

Posted by msmash on from the step-in-the-right-direction dept.

An anonymous reader shares a report: Microsoft has launched a bug bounty program that will reward anyone who finds the next Meltdown or Spectre vulnerability. Known as speculative execution side channel vulnerabilities, Microsoft is willing to reward anyone who reports bugs that could cause problems like earlier in the year. The rewards on offer range from $5,000 up to $250,000 depending on the severity of the vulnerability, and the bounty program runs until the end of 2018. Microsoft says that it will operate under the principles of coordinated vulnerability disclosure.

21 comments

  1. Interfering?? by Anonymous Coward · · Score: 0

    Why is microsoft interested in paying bug bounties for hardware it doesnt make itself. Is this the new microsoft interfering in someone else's business? I know intel and microsoft have some sort of secret pact to support each other, but in recent years that friendship seems to be evaporating. So again, why? I suspect foul play at work here yet again from a convicted monopolist.

    1. Re:Interfering?? by jellomizer · · Score: 2

      Well there are a few reasons.
      1. Still in terms of PC's Microsoft is #1. So such bugs will negatively affect them. How many of these bugs and crashes we blamed on windows sucking so badly when it was a poorly made driver or an odd 3rd party hardware added in. (where same problems can happen with other systems such as Linux, and we happily blame the hardware vendor for not being open enough)
      2. They can get lead time to make a patch or work around. For large software systems, that affect millions/billions of users. Patches need to be done carefully. So there is a lot of regression testing, and making sure the patch doesn't break any official ways of doing thing in Windows. (Crazy hacks that bi-pass the system may always break, and if your program isn't that popular it may break)
      3. They can get a marketing information strategy set. Able to point to the root cause (say Intel) and market a stratify of redirecting the blame to them, while looking like a hero for fixing the solution.
      4. Microsoft works closely with these hardware guys. They are more apt to work on finding a fix working with them, then a rogue 0 day exploit posted by some black hat hacker. Where they have to fix the problem in the mist of chaos and people getting hurt from the hack. Vs. having an organized plan to solve the issue and put out a good fix.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    2. Re:Interfering?? by Anonymous Coward · · Score: 0

      Why is Microsoft interested in paying bug bounties for the only hardware platform where Microsoft remains relevant? Gee, that's a toughie.

    3. Re:Interfering?? by Lunix+Nutcase · · Score: 1

      Because these attacks cause software vulnerabilities? And how exactly are these bounties “interfering” with anything?

  2. Totally, Like, Earlier? by abelenky17 · · Score: 1

    "Microsoft is willing to reward anyone who reports bugs that could cause problems like earlier in the year"

    Like, earlier in the year, like, January? February? How early in the year are we talking?

    1. Re:Totally, Like, Earlier? by Anonymous Coward · · Score: 0

      similar exploit is worth 10x what they offer... if not more if one has a bit of brain.

    2. Re:Totally, Like, Earlier? by Ol+Olsoc · · Score: 1

      "Microsoft is willing to reward anyone who reports bugs that could cause problems like earlier in the year"

      Like, earlier in the year, like, January? February? How early in the year are we talking?

      I'm in a cynical mood today, but given the forces involved, Microsoft and Intel, and the money involved, some little guy researching and reporting is as likely to be thrown in jail as catch the bounty.

      I woudn't touch this unless there was a contract indemnifying me from any and all prosecution during the length of my research. Otherwise TCGFT's.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    3. Re:Totally, Like, Earlier? by Megol · · Score: 1

      Like every other security researcher have in the past you mean?

      (/s if required)

  3. It's not in our best interest to report it by Anonymous Coward · · Score: 0

    It's not in our best interest to report it to Microsoft. It's in our interest to leverage it. Microsoft is afraid because Azure is full of security holes. IBM, Microsoft, and Amazon is pushing Cloud hosted services to business. The truth is there is nothing more secure than a private air gapped datacenter providing services for a business. If your business is hosted in the Cloud, it's not a matter of would you get hacked, it's a matter of when. If you are an IT Professional and you don't want your job outsourced or lost because the services are hosted in the Cloud, write code to leverage what you found and when the time is right, make it public.

    Speculative Side Channel Vulnerabilities is just one method. Did you know that the IP stack has many vulnerabilities ? The NSA is aware of most of them.
    They were more than likely aware of the Speculative Side Channel Vulnerabilities as well. I don't doubt that they were put in place on purpose. I am willing to bet
    Intel and AMD hired engineers that were actually NSA agents. Who knows, perhaps they are still working there. There's actual hostile development activity as well. Cheap routers and switches with backdoors programmed in, IoT devices with back doors.

    Never assume your posts or data are private. I'd imagine my very post is being monitored. There's nothing wrong with the post. I'm just saying if you think your data is safe and it hosted on a system connected to the net, you are mistaken. Only secure systems are air gapped with vetted users.
    Any data installed on the air gapped system must be downloaded on a bastion host, scanned, and scrutinized.

     

  4. Chump change by Anonymous Coward · · Score: 0

    250k is nothing compared to what a usable, 0-day bug like this would be worth on the black market.

    Microsoft surely could have afforded to offer more?

    1. Re:Chump change by coofercat · · Score: 1

      This is easy to say, but hard to actually get without putting ones self in some serious danger. It's far easier to get the $250K from MS, and then do speaker gigs around the world for $10k/time.

      That said, telling Microsoft before telling anyone else seems like telling the wolf when Red Riding Hood is due home. It makes me wonder why Microsoft has/had so much to lose from such bugs...? Azure that bad, is it?

    2. Re:Chump change by Lunix+Nutcase · · Score: 1

      Sure but the selling exploits on the black market comes with the potential for criminal prosecution. Not everyone is unethical and a criminal like you.

    3. Re:Chump change by Opportunist · · Score: 1

      Hmm... 250k plus invitations to all security conferences to speak there, vs. having to deal with the mob, and a couple three-letter agencies that are not only pissed at me but also have a good reason to lock me up...

      I can't help it but the decision seems easy.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    4. Re: Chump change by Anonymous Coward · · Score: 0

      You are doing it wrong then.

      If you aren't anonymous when selling sploits, then you are doing something wrong.

  5. Here's a big one... by Anonymous Coward · · Score: 0

    M$ Wlndows is a vulnerability. Send my reward to Linux so they can fix what Winblows can't..

  6. Which principles? by Mister+Liberty · · Score: 1

    "the principles of coordinated vulnerability disclosure".
    Coordinated with whom, the gov?

    1. Re:Which principles? by Anonymous Coward · · Score: 0

      Ding ding ding. This is to give the NSA a heads-up on which sploits will be sunsetted in six months.

  7. Ah Slashdot by Merk42 · · Score: 1

    Many eyes make all bugs shallow!
    Oh wait, Eveil M$ wants people to file bugz? And reward them for doing so? EEIVL!!!111

  8. Maybe you should open source your OS? by Anonymous Coward · · Score: 0

    nt

  9. Specific! by Anonymous Coward · · Score: 0

    That's an awfully specific bug bounty program. Finding something as severe as Meltdown/Spectre in hardware is 1 in a million. It took almost two decades to realize the fundamental design flaws in the way predictive branching was built but the Internet was new-ish back then and security was low on the priority list.

    I hope Microsoft can pad that program out with other ultra-specific programs or there will be crickets chirping.

  10. dangling modifier or kooky moniker by Anonymous Coward · · Score: 0

    "Known as speculative execution side channel vulnerabilities, Microsoft is willing to reward anyone who reports bugs that could cause problems like earlier in the year. "

    Microsoft has been called many things, but nobody calls it "speculative execution side channel vulnerabilities".