Microsoft Speculative Execution Side Channel Bounty Program
Microsoft is announcing the launch of the Speculative Execution Side Channel Bounty Program beginning March 14, 2018 and running through December 31, 2018. Speculative Execution Side Channels are a hardware vulnerability class that affects CPUs from multiple manufacturers. Through this program, individuals have the opportunity to submit novel speculative execution side channel vulnerabilities and mitigation bypasses that affect our latest Windows and cloud platforms. Under this program, qualified submissions are eligible for payment of up to $250,000.00 USD. All bounties will be awarded at Microsoft's discretion.
All qualifying submissions will be shared with industry partners to coordinate disclosure and protections for customers.
The Microsoft Speculative Execution Side Channel Bounty Program is subject to the legal terms outlined here and amended within this program description.
WHAT CONSTITUTES AN ELIGIBLE SUBMISSION?
The Microsoft Bug Bounty program is looking to reward high quality submissions that reflect the research that you put into your discovery. The goal of your report is to share your knowledge and expertise with Microsoft developers and engineers so that they can quickly and efficiently understand and reproduce your finding. This way, they have the background and context to fix the vulnerability.
Vulnerability submissions provided to Microsoft must meet the following criteria to be eligible for payment:
- Include a description of the issue and concise reproducibility steps that are easily understood. (This allows submissions to be processed as quickly as possible and supports the highest payment for the type of vulnerability being reported.)
- Eligible vulnerability submissions must include a white paper or a brief document explaining the exploitation method and must target one of the following scenarios:
- A category or exploit method for a Speculative Execution Side Channel vulnerability.
- A method of bypassing a mitigation imposed by a hypervisor, host or guest using a Speculative Execution Side Channel attack. For example, this could include a technique that can read sensitive memory from another guest.
- A method of bypassing a mitigation imposed by Windows using a Speculative Execution Side Channel attack. For example, this could include a technique that can read sensitive memory from the kernel or another process.
- A method of bypassing a mitigation imposed by the Microsoft Edge using a Speculative Execution Side Channel attack. For example, this could include a technique that can read sensitive memory from the Microsoft Edge content.
- All submissions must bypass mitigations specifically targeted at Speculative Execution Attacks.
- Eligible submissions must demonstrate and describe an exploitation method that meets the following criteria:
- Reliable: it must have a low probability of failure.
- Reasonable: it must have reasonable requirements and pre-requisites.
- Impactful: it must enable a security vulnerability (e.g. Information Disclosure) across a trust boundary. Include the impact of the vulnerability.
- Latest Version: it must be applicable to the latest version of our products on the date the entry is submitted with all relevant protections enabled.
- Novel: it must be a distinct method that has not been described in prior works and is not known to Microsoft or industry partners.
For examples of what constitutes an eligible bounty submission, please refer to our "Example Report Submissions" page for further details.
HOW ARE PAYMENT AMOUNTS SET?
Rewards for submissions that qualify for a bounty range from $5,000 up to $250,000. Higher payouts are given based on the quality of the report and the security impact of the vulnerability. Security researchers are encouraged to provide as much data at the time of submission to be more likely of the highest payout possible. We typically reward lower amounts for vulnerabilities that require significant user interaction.
- If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission.
- If a duplicate report provides us new information that was previously unknown to Microsoft, we will award a differential to the duplicate submission.
- If a submission is potentially eligible for multiple bounty programs, you will receive single highest payout from a single bounty program.
- Microsoft reserves the right to reject any submission at our sole discretion that we determine does not meet the above criteria.
The following tables provide a list of eligible submissions to this bounty program that are explicitly in scope, and the definition of the techniques that are in scope and out of scope for each tier. Submissions that leverage other novel exploitation techniques that are not listed below may still qualify for a bounty (as determined by Microsoft in its sole discretion). An eligible Speculative Execution Side Channel bounty submission must work when all supported mitigations in the latest builds are enabled. This scope is subject to change at any time at Microsoft's discretion.
Tier 1: New categories of speculative execution attacks
Qualifying submissions must identify a novel category of speculative execution attacks that Microsoft and other industry partners are not aware of. An example of a qualifying submission would be a new method of leveraging speculative execution side channels to disclose information across a trust boundary.
$100,000 - $250,000 USD
Tier 2: Azure speculative execution mitigation bypass
Qualifying submissions must demonstrate a speculative execution side channel attack that can be used to read sensitive memory that is not allocated to an attacker’s virtual machine on Azure.
$100,000 - $200,000 USD
Tier 3: Windows speculative execution mitigation bypass
Qualifying submissions must demonstrate a novel method of bypassing speculative execution mitigations on Windows. Specifically, this would involve bypassing the Windows mitigations for CVE-2017-5715 (branch target injection), CVE-2017-5754 (rogue data cache load), and CVE-2018-3620/CVE-2018-3646 (L1 terminal fault). These bypasses must demonstrate that it is possible to disclose sensitive information when these mitigations are present and enabled.
$100,000 - $200,000 USD
Tier 4: Exploitable speculative execution vulnerabilities
Qualifying submissions will identify an instance of a known speculative execution hardware vulnerability (such as CVE-2017- 5753 or CVE-2018-3639) in Windows 10 or Microsoft Edge. This vulnerability must enable the disclosure of sensitive information across a trust boundary.
$5,000 - $25,000 USD
- Additional factors that are considered when assessing payouts include: how broadly applicable the side channel attack may be, the perceived level of difficultly and reliability in making use of the technique, and the overall impact of the attack.
- IMPORTANT NOTE FOR AZURE TESTING: Testing for vulnerabilities should only be performed on tenants in subscriptions/accounts owned by the program participant.
WHAT CONSTITUTES AN INELIGIBLE SUBMISSION?
The aim of the bug bounty program is to uncover novel vulnerabilities that have a direct and demonstrable impact on the security of our users and our users' data. The following are examples of vulnerabilities that will not earn a bounty reward under this program:
- Tier 3 and 4 vulnerabilities in anything earlier than the current WIP fast build
- Vulnerabilities in any versions of Internet Explorer
- Vulnerabilities in any versions of Adobe Flash
- Microsoft Edge Timer mitigation bypasses of variant 1 (Tier 4)
Microsoft reserves the right to reject any submission at our sole discretion that we determine does not meet the above criteria.
The aim of the bug bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our users. While we encourage any submissions that describe security vulnerabilities in WIP fast, the following are examples of vulnerabilities that will not earn a bounty reward under this program:
- Vulnerabilities in Windows Store, Windows Apps, firmware, third party drivers, or third-party software in Windows
- Publicly-disclosed vulnerabilities which are already known to Microsoft and the wider security community
- Vulnerabilities requiring extensive or unlikely user actions
- Vulnerabilities that rely on default security settings being downgraded or the system to use uncommon configurations
To review the terms and conditions for the Bug Bounty Program, please go to here.