ms-msrc

Speculative Execution Bounty Launch Today, Microsoft is announcing the launch of a limited-time bounty program for speculative execution side channel vulnerabilities. This new class of vulnerabilities was disclosed in January 2018 and represented a major advancement in the research in this field.  In recognition of that threat environment change, we are launching a bounty program to encourage research into the new class of vulnerability and the mitigations Microsoft has put in place to help mitigate this class of issues. Quick Facts: Bounty Duration: Open until December 31, 2018 Full Details: Speculative Execution Bounty Program Bounty Terms: Standard terms and conditions apply Bounty Tiers: (below)  Tier  Payout (USD) Tier 1: New categories of speculative execution attacks  Up to $250,000 Tier 2: Azure speculative execution mitigation bypass  Up to $200,000 Tier 3: Windows speculative execution mitigation bypass  Up to $200,000 Tier 4: [ more… ]

March 2018 security update release Today, we released security updates to provide additional protections against malicious attackers. By default, Windows 10 receives these updates automatically, and for customers running previous versions, we recommend they turn on automatic updates as a best practice. More information about this month’s security updates can be found in the Security Update Guide. Source: March 2018 security update release

Inside the MSRC– The Monthly Security Update Releases For the second in this series of blog entries we want to look into which vulnerability reports make it into the monthly release cadence. It may help to start with some history.  In September 2003 we made a change from a release anytime approach to a mostly predictable, monthly release cadence.  October 2003 ushered in what became known as Update Tuesday.  How and when Microsoft releases new products and services in market products has changed over the years, but the monthly delivery of security content has remained steady. So how do we decide what goes into a monthly security release?  That decision largely rides on required customer action and risk.  Required customer action is realized through products where customers need to take action to protect themselves against a vulnerability.  For consumers, protection [ more… ]

February 2018 security update release Today, we released security updates to provide additional protections against malicious attackers. By default, Windows 10 receives these updates automatically, and for customers running previous versions, we recommend they turn on automatic updates as a best practice. More information about this month’s security updates can be found in the Security Update Guide. Source: February 2018 security update release

Inside the MSRC – How we recognize our researchers This is the first of a series of blog entries to give some insight into the Microsoft Security Response Center (MSRC) business and how we work with security researchers and vulnerability reports. The Microsoft Security Response Center actively recognizes those security researchers who help us to protect our several billion customers and their endpoints in several ways. We split our acknowledgments into three distinct categories, CVE qualified submissions, online services, and bug bounty. It is possible that a single submission will be acknowledged by one or more of these categories. We update our acknowledgements each month with the latest findings and submissions. When it comes to recognizing our researchers through Coordinated Vulnerability Disclosure (CVD), if the finding that was submitted was impactful enough to be addressed in our monthly bulletin release [ more… ]