
Microsoft Offers Bug Bounty to Prevent Another Spectre-Meltdown Fiasco - rbanffy
https://hothardware.com/news/microsoft-offering-up-to-250000-in-speculative-execution-bug-bounty-program
======
WebLLL
The offer is limit to bugs that are not already known to Microsoft or their
partners, and they are not disclosing what these bugs are, and they are making
no claim to have fixed them. I made a submission to Intel and others weeks
after some were claiming to have mitigated this with small reductions in timer
resolution, showing that the timer mitigation would not stop these
vulnerabilities, no one would pay out, said they were already aware of it,
have they informed the public, have they withdrawn their product, have their
transitioned their user base to safer products??? No one is going to hand over
their well documented exploits under such terms. Let them offer twice the
reward for public disclosures of issues that they already know and have not
fixed or not warned the public about, and then we might take their offer
seriously.

~~~
tptacek
I don't understand the disincentive you're describing. Unless you believe that
Intel or Microsoft would _lie_ about already knowing about a vulnerability ---
which is extremely dumb, given how minimal the expense is, and how much
publicity you'd immediately generate by going public --- then what's the risk?

~~~
shawnz
> Unless you believe that Intel or Microsoft would lie about already knowing
> about a vulnerability

Imagine they know of a vulnerability but believe that it's not practical to
exploit, or something. Then someone comes along and demonstrates that it
actually is practical to exploit. They could say, well, we knew about this
already and didn't believe it's practical, so we're not paying you for it.

It can sometimes be hard to convince a vendor that a vulnerability is "their
fault" and this policy only increases the difficulty.

~~~
baddox
If it’s not practical to exploit, why wouldn’t Microsoft disclose it publicly?
I thought that the “best ethical practice” for vulnerability disclosure is to
notify the vendor privately, then disclose publicly after some period of time
if the vendor is uninterested or unresponsive, with the idea being that it’s
safer in the long run for vulnerabilities to be publicly known than only known
to a small number of parties (since some of those parties may be trying to
exploit the vulnerability).

~~~
dspillett
_> If it’s not practical to exploit, why wouldn’t Microsoft disclose it
publicly?_

Because of the public?

If someone decides to try make a name for themselves by taking a shot at
embarrassing MS/Intel/Linux/AMD/other which do you think will have more affect
on public perception: intelligent, detailed discussion about practicalities
and real world attack/defense profiles, or loud shouty "but what if" reporting
carefully word to be as scary as possible?

~~~
baddox
But this is the entire point of bug bounties, right? Companies literally pay
people to find vulnerabilities in their software.

------
ISL
One presumes that Spectre/Meltdown-level bugs are each worth substantially
more to the computer industry than $250k.

~~~
GoToRO
You would think. But if you don't buy Microsoft, Apple, Intel, AMD what do you
buy? There is no alternative.

~~~
loosescrews
These bugs are probably most valuable against cloud providers (Where else do
you get arbitrary code execution on a machine with other's valuable data on
it?). Most cloud providers run Linux, not Microsoft (except Microsoft) and
definitely not Apple.

~~~
gopalakrishnans
Microsoft does have a lot of Linux VMs [https://azure.microsoft.com/en-
us/services/virtual-machines/](https://azure.microsoft.com/en-
us/services/virtual-machines/)

~~~
loosescrews
What matters is the host OS, not the guest.

------
mastax
Bug bounties are good but they wouldn't have prevented Spectre-Meltdown. The
only way to prevent such a fiasco is for the bugs to never exist in the first
place. The only difference bounties make is that hopefully vendors patch the
issue before it becomes widely exploited. In the case of S/M, vendors got many
months of notice and it was still a fiasco - that is the nature of software
bugs.

~~~
whb07
For bugs to never exist in the first place? Let me put that one in the list of
obvious things like “traffic accidents shouldn’t occur”, “drowning accidents
shouldn’t occur”, “heart disease shouldn’t occur”.

I’m sure I missed something. Could you help me out ?

~~~
ploxiln
Meltdown/Spectre was not a "fiasco" due to Microsoft and Intel not finding
out. It was "responsibly" disclosed to the companies, and there were multiple
months to prepare a response. A bigger bounty would not change anything for
Meltdown/Spectre.

It was a "fiasco" because it affected over 90% of all servers and laptops out
there. And there was just no way to prepare enough of a response, while
keeping it secret. For a few months, too few engineers knew about it for good
mitigation development. Towards the end, as more people who needed to know
were looped in, everyone could see it coming. The vulnerabilities, and
mitigations, were just too big.

------
the8472
> this particular set of bug bounty rules is exclusive to vulnerabilities that
> surround speculative execution bugs

I wonder what the rationale is for that narrow scope. Is it just that there
aren't that many potential sources of side-channels?

~~~
austincheney
So that they aren't paying out huge sums of money for trivial defects in
fringe products. For example a userland defect in editing tools of Sharepoint
is not going to be worthy of a $250,000 reward to MS.

~~~
the8472
I mean why does it matter which CPU component is mis-designed if it is a side-
channel that allows you to extract data from other security domains?

If the last 10 years of VT-x implementations had a flaw that lets you extract
data from other VMs that would be about as juicy as Meltdown.

~~~
nickpsecurity
I agree. We're going to see more types of attacks especially given two papers
are already showing researchers where to look:

[https://eprint.iacr.org/2016/479.pdf](https://eprint.iacr.org/2016/479.pdf)

[https://ts.data61.csiro.au/publications/csiro_full_text//Ge_...](https://ts.data61.csiro.au/publications/csiro_full_text//Ge_YCH_toappear.pdf)

They should broaden it to confidentiality or integrity breaches on CPU
components that affect Windows-based products. That will cover more ground.
Availability is important, too, but the other two are a nice start that won't
break the bank with crashes or stalls. They might still pay for them but with
less money.

------
mtmail
Microsoft's press release the article is based on
[https://technet.microsoft.com/en-
us/mt846432.aspx](https://technet.microsoft.com/en-us/mt846432.aspx)

------
sytse
Azure resetted all VMs because of the early disclosure. Glad to see MSFT
acting on this. Are they using hackerone?

------
DyslexicAtheist
Bug bounties are no panacea or substitute for strong security thinking across
different product stages and departments. We had Spectre and Meltdown due to
the industry shortcoming in this regard, not because we didn’t conduct enough
bug bounties.

\- [https://www.linkedin.com/pulse/bug-bounty-when-auctioning-
of...](https://www.linkedin.com/pulse/bug-bounty-when-auctioning-off-our-math-
problems-joachim-bauernberger/?trackingId=ebUh0CK4Dr0UW9YGTPnziw%3D%3D)

------
trisimix
I hope that as time goes on we find the open source approach to crowdsourcing
bugs is actually so much more viable than bug bounties and combined with an
increased need for security we find that many proprietary softwares are
outmatched.

------
amelius
Perhaps an ignorant question, but does there already exist a practical
demonstration of the Spectre/meltdown bugs, or are they still theoretical?

~~~
rejectedalot
See section 4.3 in the Spectre paper -
[https://spectreattack.com/spectre.pdf](https://spectreattack.com/spectre.pdf)

It includes an implementation of the exploit in a few lines of javascript.

