Slashdot Mirror
Microsoft Launches Bounty Program For Speculative Execution Side Channel Vulnerabilities (betanews.com)
An anonymous reader shares a report: Microsoft has launched a bug bounty program that will reward anyone who finds the next Meltdown or Spectre vulnerability. Known as speculative execution side channel vulnerabilities, Microsoft is willing to reward anyone who reports bugs that could cause problems like earlier in the year. The rewards on offer range from $5,000 up to $250,000 depending on the severity of the vulnerability, and the bounty program runs until the end of 2018. Microsoft says that it will operate under the principles of coordinated vulnerability disclosure.
"Microsoft is willing to reward anyone who reports bugs that could cause problems like earlier in the year"
Like, earlier in the year, like, January? February? How early in the year are we talking?
Well there are a few reasons.
1. Still in terms of PC's Microsoft is #1. So such bugs will negatively affect them. How many of these bugs and crashes we blamed on windows sucking so badly when it was a poorly made driver or an odd 3rd party hardware added in. (where same problems can happen with other systems such as Linux, and we happily blame the hardware vendor for not being open enough)
2. They can get lead time to make a patch or work around. For large software systems, that affect millions/billions of users. Patches need to be done carefully. So there is a lot of regression testing, and making sure the patch doesn't break any official ways of doing thing in Windows. (Crazy hacks that bi-pass the system may always break, and if your program isn't that popular it may break)
3. They can get a marketing information strategy set. Able to point to the root cause (say Intel) and market a stratify of redirecting the blame to them, while looking like a hero for fixing the solution.
4. Microsoft works closely with these hardware guys. They are more apt to work on finding a fix working with them, then a rogue 0 day exploit posted by some black hat hacker. Where they have to fix the problem in the mist of chaos and people getting hurt from the hack. Vs. having an organized plan to solve the issue and put out a good fix.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
This is easy to say, but hard to actually get without putting ones self in some serious danger. It's far easier to get the $250K from MS, and then do speaker gigs around the world for $10k/time.
That said, telling Microsoft before telling anyone else seems like telling the wolf when Red Riding Hood is due home. It makes me wonder why Microsoft has/had so much to lose from such bugs...? Azure that bad, is it?
"the principles of coordinated vulnerability disclosure".
Coordinated with whom, the gov?
Many eyes make all bugs shallow!
Oh wait, Eveil M$ wants people to file bugz? And reward them for doing so? EEIVL!!!111
Because these attacks cause software vulnerabilities? And how exactly are these bounties “interfering” with anything?
Sure but the selling exploits on the black market comes with the potential for criminal prosecution. Not everyone is unethical and a criminal like you.
Hmm... 250k plus invitations to all security conferences to speak there, vs. having to deal with the mob, and a couple three-letter agencies that are not only pissed at me but also have a good reason to lock me up...
I can't help it but the decision seems easy.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.