Microsoft is introducing a new bug bounty reward for the “speculative execution” CPU vulnerabilities that were disclosed recently. The software giant is offering up to $250,000 for bugs that are similar to the Meltdown and Spectre CPU flaws. Microsoft’s bounty will run until the end of the year, and it’s clearly designed to discover additional flaws as researchers begin to look at these types of vulnerabilities in processor designs.
“Speculative execution is truly a new class of vulnerabilities,” says Phillip Misner, a security group manager at Microsoft. “We expect that research is already underway exploring new attack methods.” Microsoft wants to encourage security researchers to responsibly disclose any potential CPU flaws, and up to $250,000 is probably a good way to achieve that. Microsoft also offers up to $250,000 for serious Hyper-V flaws in Windows 10.
News of Microsoft’s Spectre response comes just as Intel is preparing its own CPU changes for the future. Intel is redesigning its processors to protect against attacks like Spectre, and the company’s next-generation Xeon processors (Cascade Lake) will include new hardware protections, alongside 8th generation Intel Core processors that ship in the second half of 2018. Existing CPUs will be protected with firmware updates, but it’s obvious that the industry wants to address these new problems at the fundamental hardware design level to ensure future devices are protected.