Microsoft Offering Up to $250,000 for Identifying Chip Bugs

Microsoft is offering up to $250,000 (roughly Rs. 1.6 crores) for identifying bugs that are similar to the Meltdown and Spectre CPU flaws.

Phillip Misner said in their blog post

” Today, Microsoft is announcing the launch of a limited-time bounty program for speculative execution side-channel vulnerabilities. This new class of vulnerabilities was disclosed in January 2018 and represented a major advancement in the research in this field.  In recognition of that threat environment change, we are launching a bounty program to encourage research into the new class of vulnerability and the mitigations Microsoft has put in place to help mitigate this class of issues.”

What Are PayOuts and How to Participate?

This bounty program is open until December 31, 2018, and there are total 4 tiers. Tier 1 offers highest $250,000 payout to the person who finds a dangerous bug.  Tier 2 offers $200,000 to the person who finds a bug in azure security bypass. Tier 3 offers the same payout as tier 2 to the person who finds a bug in windows security bypass. Tier 4 offer least payout which is $25,000 to the person who finds the speculative execution of windows, vulnerability must enable the disclosure of sensitive information across a trust boundary.

Tier  Payout (USD)
Tier 1: New categories of speculative execution attacks  Up to $250,000
Tier 2: Azure speculative execution mitigation bypass  Up to $200,000
Tier 3: Windows speculative execution mitigation bypass  Up to $200,000
Tier 4: Instance of a known speculative execution vulnerability (such as CVE-2017-5753) in Windows 10 or Microsoft Edge. This vulnerability must enable the disclosure of sensitive information across a trust boundary  Up to $25,000

 

Microsoft offering $25,000 to $2,50,000 to the person who finds a bug in the hardware and based on tier they mentioned in there blog.

According to security researchers, two CPU-level vulnerabilities Spectre and Meltdown have affected most chips made in the last two decades by Intel, as well as some by AMD and ARM Holdings.

Following the news of the bugs getting out, all major tech players such as Microsoft, Google, Apple, including Intel, released security patches to help protect users from potential data theft.