Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Says No To Paying Bug Bounties

timothy posted about 4 years ago | from the like-mel-gibson-in-ransom dept.

Bug 148

Trailrunner7 writes "In the wake of both Mozilla and Google significantly increasing their bug bounties to the $3,000 range, there have been persistent rumors in the security community that Microsoft soon would follow suit and start paying bounties as well. However, a company official said on Thursday that Microsoft was not interested in paying bounties. 'We value the researcher ecosystem, and show that in a variety of ways, but we don't think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren't always financial. It is well-known that we acknowledge researcher's contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update,' Microsoft's Jerry Bryant said."

cancel ×

148 comments

Sorry! There are no comments related to the filter you selected.

Or it could be because they would be bankrupt ... (5, Funny)

MeNotU (1362683) | about 4 years ago | (#33001594)

Or it could be because they would be bankrupt within the week.

Re:Or it could be because they would be bankrupt . (1)

kubitus (927806) | about 4 years ago | (#33001640)

you beat me with this answer!

Re:Or it could be because they would be bankrupt . (0)

Anonymous Coward | about 4 years ago | (#33002864)

A week is very... very generous.

Re:Or it could be because they would be bankrupt . (3, Funny)

Anonymous Coward | about 4 years ago | (#33001682)

Microsoft: As good at security as Linux users are at doing sex with girls

Re:Or it could be because they would be bankrupt . (5, Funny)

Anonymous Coward | about 4 years ago | (#33001732)

as well witnessed by the linux user who refers to it as "doing sex"

Re:Or it could be because they would be bankrupt . (0, Troll)

segin (883667) | about 4 years ago | (#33001740)

Except I'm a Linux user and my girlfriend is pregnant.

P.S. I'm an Atheist and I'm not buying that immaculate conception bullshit you're selling.

Re:Or it could be because they would be bankrupt . (3, Funny)

Anonymous Coward | about 4 years ago | (#33001772)

Oh, we don't think it was immaculate...

Re:Or it could be because they would be bankrupt . (1)

spamking (967666) | about 4 years ago | (#33001878)

That's what she said.

Re:Or it could be because they would be bankrupt . (1)

somersault (912633) | about 4 years ago | (#33001824)

Just because you got to the destination doesn't mean you're a good driver*.

*this was originally a sandwich analogy, but then I remembered my audience.

Re:Or it could be because they would be bankrupt . (1)

Hylandr (813770) | about 4 years ago | (#33001854)

I am a Linux user since the time you had to compile your own kernel in order to perform an install.
I have 7 going on 8 children. My wife uses Linux too. :)
- Dan.

Re:Or it could be because they would be bankrupt . (1)

somersault (912633) | about 4 years ago | (#33001970)

I wasn't debating whether Linux users have sex, I was pointing out that the original comment was about being good at "doing sex", not about the possibility of having sex. Just because someone is having sex doesn't mean they're good at it. There are plenty of lazy fat people out there.

Of course it was rather poorly worded so the intention could have been either way.

Re:Or it could be because they would be bankrupt . (0)

Anonymous Coward | about 4 years ago | (#33002238)

Interestingly enough... The social insecurity seems to pay off in this department!

http://www.thesun.co.uk/sol/homepage/features/article2439786.ece [thesun.co.uk]

Re:Or it could be because they would be bankrupt . (1)

somersault (912633) | about 4 years ago | (#33002604)

I'm both an IT geek and have turned into a bit of a fitness buff in the last couple of years.. heh heh :P This article confirms my limited experience.

Re:Or it could be because they would be bankrupt . (0)

Anonymous Coward | about 4 years ago | (#33001974)

oh well that makes sense.. shes equally as bad so its a perfect match! and the universe is back in order

Re:Or it could be because they would be bankrupt . (1, Funny)

bigsteve@dstc (140392) | about 4 years ago | (#33002268)

Well good for you! Now if we could just stop Windows users breeding ... ;-)

Re:Or it could be because they would be bankrupt . (2, Insightful)

ergrthjuyt (1856764) | about 4 years ago | (#33001718)

Or it could be because they would be bankrupt within the week.

But why? It's not like there's likely to be millions and millions of bugs that Microsoft doesn't already know about. Bounties are only awarded for previously unreported bugs, otherwise there would be no limit to how much anyone could collect from the company. It is doubtful that Microsoft's decision was primarily because of what it would actually cost them in payouts.

Re:Or it could be because they would be bankrupt . (1)

SkunkPussy (85271) | about 4 years ago | (#33001760)

The joke was that microsoft's software is so bug-ridden that people will find so many unreported bugs that microsoft will go bankrupt.

Re:Or it could be because they would be bankrupt . (1)

somersault (912633) | about 4 years ago | (#33001838)

Wait, it was a joke? I thought it rather insightful!

Re:Or it could be because they would be bankrupt . (4, Insightful)

thoth (7907) | about 4 years ago | (#33002572)

It is doubtful that Microsoft's decision was primarily because of what it would actually cost them in payouts.

I agree... we can make fun of how much money this would cost Microsoft, but they can afford it. It is obvious they don't want to for. Some possible reasons:

1) Announcing a paying bug bounty, like Knuth had with TeX, implies the code is so high quality they are looking for the last few issues. But they have a very large attack surface area, and their code is constantly changing.

2) They've spent millions educating their developers and testers over secure coding and testing practices, and to be fair have made good progress. Announcing a paying bug bounty probably irriates the bean counters who are asking, aren't we already paying for people to work on security issues?

3) Cultural issue? Mozilla and Google are willing to do it, and they have extensive experience in free/open source software. Microsoft, not so much.

It is interesting they don't want to do it though.

Re:Or it could be because they would be bankrupt . (1)

ergrthjuyt (1856764) | about 4 years ago | (#33002832)

Might also have to do with the fact that their products are closed source. Certainly makes it harder to do anything much more than brute force guess-and-check type exploits.

Re:Or it could be because they would be bankrupt . (1, Interesting)

sparrowhead (1795632) | about 4 years ago | (#33003066)

...4) MS Customers are happy to pay for bugfixes

I've observed this myself when a consulting firm I worked with suddenly couldn't open an important presentation anymore. The fix cost them iirc around 3500 €. When asking them why they'd stay with a product that would render it's files unusable, they responded that they were actually pretty happy with the response time and the price didn't bother them at all.

Re:Or it could be because they would be bankrupt . (0)

Anonymous Coward | about 4 years ago | (#33002968)

Well, even if they know about the bugs, I'm assuming someone would have to check and asses them all. With the biggest OS on the market and the biggest browser on the market and a populace eager to get some of that bounty cash I could imagine they'd be inundated with reports of known bugs, and then they have to pay someone to sift through them all and find the real ones. It wouldn't bankrupt them but it wouldn't be a low cost initiative either.

Re:Or it could be because they would be bankrupt . (5, Insightful)

mcgrew (92797) | about 4 years ago | (#33001792)

It's because to Microsoft, and undiscovered bug is a nonexistant bug. Their "security" model has always been "security through obscurity". Their philosophy is "why fix a bug if you don't have to?"

And they modded you "funny" but you're absolutely right, sorta, even if a little exagerated; they have more far more dollars than sense. Well, maybe not sense; ethics.

Re:Or it could be because they would be bankrupt . (-1, Offtopic)

Anonymous Coward | about 4 years ago | (#33002118)

Cue the Apple bashers in 3 . . . 2 . . .

Re:Or it could be because they would be bankrupt . (4, Insightful)

v1 (525388) | about 4 years ago | (#33002834)

That was the first thing that came to my mind. Though on consideration it would take quite a lot to bankrupt MS.

But the unfortunate thing here is there's already a thriving market for zero-day MS bugs. These get bought and sold already on a daily basis on the underground malware networks. You've already got groups of people that make a living out of finding bugs in your software and selling them on that black market. Instead of letting them sell them to people that are basically your competitors, (or at least your PR antichrists) it makes sense to either hire them or become their best customer. either of which them will either kill or severely depress the market for exploits. Once MS becomes a bidder for the exploits, with its deep pockets, that alone will drive a lot of the malware authors out of business because they will no longer be able to afford to bid on a new zero-day to keep their malware effective as MS gets things patched at a highly accelerated rate.

What they have here is an opportunity, and I can't believe they're going to let it slide. Makes me wonder if someone's ego/pride is driving their decision here, rather than good business sense? Even in the short term I don't see any way that this could be anything but a monetary win. Unless they think (again, in their pride and obstinence?) that they're so big now that they don't need to be bothered with improving their image or reputation anymore. Or maybe they've already considered this and it is unfortunately in their best interest to let their customers twist in the wind rather than spend a few bucks.

Re:Or it could be because they would be bankrupt . (1, Insightful)

Anonymous Coward | about 4 years ago | (#33002836)

Because they would have to have a system where bugs are identified and tracked.
Telling researcher X that that hole was KNOWN for 2.5 years but not fixed would cause plenty of embarrassment and negative publicity.

For Microsoft, Honest is not the best policy - they are more of a let the dog sleep company, good enough type company.

Translation: (4, Funny)

rah1420 (234198) | about 4 years ago | (#33001598)

"we don't think paying a per-vuln bounty is the best way."

-- er

"We can't afford the hit to our bottom line if we were to start paying people to find the bugs in our software."

Re:Translation: (2, Interesting)

ergrthjuyt (1856764) | about 4 years ago | (#33001660)

A lot of Microsoft teams have more test engineers than dev engineers. On more mature products, it has been this way for decades now. So your jab, while comical, is far from the truth.

Re:Translation: (3, Insightful)

msauve (701917) | about 4 years ago | (#33001786)

Actually, your claim supports his.

If there weren't lots of bugs to be found, they wouldn't need so many test engineers. Are you trying to claim that all those test engineers find all the vulnerabilities in MS products before release? That would be the truly comical claim.

Re:Translation: (2, Insightful)

ergrthjuyt (1856764) | about 4 years ago | (#33002134)

Actually, my claim doesn't support his. He claimed that Microsoft "can't afford" or chooses not to pay people to find bugs in their software. I asserted this was false because of the large number of (well paid) test engineers whose full time jobs are to find bugs.

Are you trying to claim that all those test engineers find all the vulnerabilities in MS products before release?

I never even came close to making such a claim. Nice try though.

If there weren't lots of bugs to be found, they wouldn't need so many test engineers.

I'm not sure what point you're trying to make. Anyone with even rudimentary exposure to software development or testing theory understands that having tests is not a sign that a product is buggy. Quite the opposite actually.

The fact is that Microsoft's products are heavily tested and they care a lot about security (backed up with money to pay for testers -- lots of them). This isn't to say that they are perfect or never make bad security design decisions, but any assertion that they don't care about security or bugs is provably false.

Re:Translation: (3, Insightful)

msauve (701917) | about 4 years ago | (#33002548)

As they say, "the proof's in the pudding." MS has earned a reputation for vulnerabilities in their software. You seem to be equating "bugs" with "vulnerabilities." The latter is a subset of the former. How many of those "large number of (well paid) test engineers whose full time jobs are to find bugs" are focused on discovering new vulnerabilities, as opposed to simply doing regression testing vs. a defined feature set?

And, since your argument now seems to be that money is not what drives people to find vulnerabilities (which is what MS was arguing, according to the summary, and what the OP was ridiculing), what do you propose drives the "bad guys" to find them?

Re:Translation: (1)

TheRaven64 (641858) | about 4 years ago | (#33002722)

You seem to be equating "bugs" with "vulnerabilities." The latter is a subset of the former

A saying popular with the OpenBSD team seems appropriate here:

The difference between a bug and a vulnerability is the intelligence of the attacker.

A lot of non-exploitable bugs have, in the past, turned out to be vulnerabilities when someone else looked at how to attack them.

Re:Translation: (1)

ergrthjuyt (1856764) | about 4 years ago | (#33002924)

How many of those "large number of (well paid) test engineers whose full time jobs are to find bugs" are focused on discovering new vulnerabilities

A: More than you could get by offering Joe Public 3000 dollars to look for buffer overflows in Microsoft Outlook. Granted, both approaches are not mutually exclusive.

Why doesn't NASA offer $3000 for each reported flaw in their space vehicle designs? A: It probably couldn't hurt, but it's most likely a giant waste of time.

And, since your argument now seems to be that money is not what drives people to find vulnerabilities...

Not an argument. A fact. Many people report bugs to Microsoft without compensation, why start paying for them now?

...what do you propose drives the "bad guys" to find them?

Assuming that you're saying Microsoft should try to bribe malware authors into reporting the vulnerabilities they are exploiting: It won't work. The "bad guys" aren't going to give up their living for some petty one-time cash payment. That pretty much leaves the white hats, who are already paid, and Joe Public. See above for why Joe Public is not the best source of vulnerability reports.

Re:Translation: (2, Insightful)

msauve (701917) | about 4 years ago | (#33003306)

Paying a bounty is paying only for results. You get a validated vulnerability every time you pay, guaranteed. Paying someone a salary to look for vulnerabilities provides no guarantee that you will successfully find one. How many vulnerabilities are found by this "large number of (well paid) test engineers?" Are there 1000 of them (probably many more)? Do they cost MS $100K each (probably much more) per year? Do they find 1000 x $100000 / $3000 = 33333 vulnerabilites each year? Not based on what MS reports for their patches.

NASA doesn't make the details of their designs available to the general public, nor is there a space vehicle sitting in virtually every home or business which can be examined, so your strawman fails.

Many people report bugs to Microsoft without compensation, why start paying for them now?

To find more vulnerabilities, by getting more people involved. Do you think that offering a bounty provides a disincentive, and would result in fewer reports? Mozilla and Google don't seem to think so.

OTOH, you're probably right about a bounty from MS being a bad thing - if MS were to pay a bounty, they would no doubt make people sign a contract that the vulnerability couldn't be publicly disclosed until a patch was released, then continue to ignore it for as long as they wanted.

Re:Translation: (1)

gorzek (647352) | about 4 years ago | (#33001964)

That's seriously fucked up. The last company I worked at had about 1/3 as many QA testers as developers, and that was still more than the industry norm.

If your product has more testers than developers you are dealing with a seriously flawed product and/or development process.

Re:Translation: (2, Insightful)

Zironic (1112127) | about 4 years ago | (#33002018)

Or just a really big product?

Re:Translation: (0, Troll)

Rogerborg (306625) | about 4 years ago | (#33002084)

Aw, that's so cute. One day, when you're a big boy and work on real products, with real, steady, repeat customers, we'll talk.

Re:Translation: (2, Insightful)

rtb61 (674572) | about 4 years ago | (#33002746)

What happened was M$ went really performance based in their bonus schemes, the more code you produced the more you got paid and the quicker you produced that code the sooner you got your money. Catch with that, performance often does not equal quality and unwittingly they penalised coders who produced well crafted, carefully thought out, compact code (the code you actually want). They did this for long enough to establish bad bloated coding styles as the norm, hence the problem.

Why M$ wont pay for bug bounties, has slashdot gone quitely loopy. Why would M$ marketdoids pay people to make their products look bad. Oddly enough for open source paying bug bonuses looks good and demonstrates responsibility but, for closed source their marketing claims are that their products are perfect the best software there ever has been and paying bug bonuses directly undermines that claim. With open source the claim is, it is the best we can do and we will continue to work at making it better and be honest about it qualities and faults, so bug bonuses makes real sense.

Re:Translation: (1)

mcgrew (92797) | about 4 years ago | (#33002040)

You give real engineers a bad name, then. It's been said (I think it's someone's /. sig) that if bridges were engineered like software, one would collapse every day.

Sorry, I think MS won't open their source because they're ashamed of it.

Re:Translation: (1)

haruchai (17472) | about 4 years ago | (#33002288)

Here's another - If houses were built the way software is built, the first termite would've destroyed civilization

Re:Translation: (2)

TheRaven64 (641858) | about 4 years ago | (#33002740)

If software were built like bridges, then your word processor would be a typewriter.

Re:Translation: (0)

Anonymous Coward | about 4 years ago | (#33003296)

A lot of Microsoft teams have more test engineers than dev engineers. On more mature products, it has been this way for decades now. So your jab, while comical, is far from the truth.

Maybe, but do those test engineers have what it takes to find new bugs, or are they just running some standard set of regression tests suites?
That, while necessary, will find you only maybe 1/3 of all bugs.

Then, if bugs are found, are they fixed? Like, say, all that crap Windows does at initial installation or service pack installation on a dual boot system?

Re:Translation: (2, Insightful)

Anonymous Coward | about 4 years ago | (#33001716)

There's worse...

"We can't afford to get into a bidding war with malware authors."

Re:Translation: (1)

marcosdumay (620877) | about 4 years ago | (#33003322)

Alternatively:

"We spend a lot of money hidding our bugs from the community, why should we spend more money on people that discovers them?"

Not enough money in the world (0, Troll)

TeamMCS (1398305) | about 4 years ago | (#33001610)

Sadly, no matter how rich Microsoft are, they simply can't afford to write *that* many cheques.

Re:Not enough money in the world (-1)

Anonymous Coward | about 4 years ago | (#33001846)

Sadly, no matter how rich Microsoft are, they simply can't afford to write *that* many cheques.

So you are joking and "boasting" about other people's work you envision, expect from others but you wont contribute to, and to my intuition, never have contributed to?

To take it further, you're mocking something that's infinetly more complex as your ability to grasp or rebuild or construct yet your criticism feels founded because it's the popular thing to do?

The day you show me a shiny disk with the fruits of your hard labour (or others you've managed) which gives me an experience equatable with what Microsoft gives (they aren't just limited to desktops), then I'll salute and congratulate you and will feel you are authorative to spew such criticism.

But that wont happen, so you come across as someone who is a following hivemind.

Re:Not enough money in the world (3, Insightful)

hedwards (940851) | about 4 years ago | (#33001954)

And yet, free projects like OpenBSD have so many fewer security problems. I have a really, really hard time grasping on what level MS is doing a good job. They typically refuse to acknowledge bugs until they've patched them and insist upon releasing them on patch Tuesdays without giving responsible end users the ability to patch up as soon as the patch is tested.

Yeah, that's a description of a competent organization. Perhaps if things are that complicated they should be removing things like WiMP and IE which have no place in the base system to focus on making things be actually secure.

Pay? (1)

dammy (131759) | about 4 years ago | (#33001612)

Why would they want to pay when they don't what to know?

What he really means.... (0)

Anonymous Coward | about 4 years ago | (#33001618)

We know our software is buggy as hell. We haven't really cared. And we're not likely to anytime soon.

Unless we get sued or some people die.. maybe... other than that.. it's really not our problem.

We've got the customers locked in pretty good. Especially in a business setting.

They're not going anywhere just because of a few bugs. Why would we pay to fix them?

Translation (-1, Redundant)

aepervius (535155) | about 4 years ago | (#33001622)

"our OS are so bug ridden, that it is more easy to search the OS bit between the bugs, we would be ruined quickly if we paid for bugs found".

China (-1, Redundant)

Thanshin (1188877) | about 4 years ago | (#33001636)

This alone could fuel China's economy.

There wouldn't be enough ships to transport the gold from Fort Knox to Gùgng.

It's a supply and demand thing. (0)

Anonymous Coward | about 4 years ago | (#33001648)

It will be a good day when they start having to pay for bugs.
    for now, they they already have plenty.

ROI (4, Funny)

theskipper (461997) | about 4 years ago | (#33001650)

"We don't care, we don't have to...we're the operating system company."

Re:ROI (2, Informative)

mcgrew (92797) | about 4 years ago | (#33002332)

Attribution: Lily Tomlin's "Ernestine the telephone operator", referring to the then monopoly AT&T (We don't care, we don't have to...we're the phone company), for the younger slashdotters who weren't around when AT&T owned every telephone in America (back then you had to rent your phone).

Microsoft Says No To Paying Bug Bounties (-1, Redundant)

Anonymous Coward | about 4 years ago | (#33001652)

"After all, we have our bottom line to think about", said a Microsoft spokesman. "If we were to actually fixed bugs, especially potential security bugs, huge segments of the security industry would go out of business. No, its best for the economy to not incentivize bug detection and mitigation."

Committed to their current strategy (2, Funny)

ICLKennyG (899257) | about 4 years ago | (#33001654)

About 15 years ago they made a long term investment to running their image into the ground so people would hate them so much that they would be willing to find the bugs for free. It's been working well for a long time, and at this point they have already written the check, why switch.

Microsoft sucks! I'll prove it, look at this random arbitrary glitch in the way they handle SMTP requests.

Thank you very much, fixed. Next!

Crazy like a fox (news anchor).

Re:Committed to their current strategy (1)

marcosdumay (620877) | about 4 years ago | (#33003378)

"Thank you very much, fixed. Next! "

Up untill that sentence all you were saying made a lot of sense. But that simply blows everything up.

The Emperor's New Code (1)

AHuxley (892839) | about 4 years ago | (#33001666)

I guess MS has a new suit of security tech invisible to those unfit for their positions or just hopelessly stupid.
MS knows its coding nothing at all but marketing has them coding in the finest suit of software.
With is masterstroke, no cry of "But they are developing anything at all!" will never gain traction.
They are safe to wonder around the walled gardens.

not surprising (0, Redundant)

thevikas (655423) | about 4 years ago | (#33001670)

Did not think they would loose big money by this. now, its official. their bugs can bankrupt them.

Re:not surprising (3, Funny)

mcgrew (92797) | about 4 years ago | (#33002596)

Finally! Someone used the word "loose" properly. Even if the meaning of the sentence is different than what you intended (I have no way of knowing), it's true nevertheless. They would have indeed loosed big money.

Interesting... (5, Insightful)

fuzzyfuzzyfungus (1223518) | about 4 years ago | (#33001678)

There are certainly downsides to the bounty approach(once you put money on the table, priority disputes turn from prima donna drama bullshit into actual-with-lawyers drama shit; not to mention the hideous quibbling about exactly what constitutes a "vulnerability", how severe it is, and so forth).

On the other hand, handing out hard cash, in addition to credit, can certainly be motivational(yes, the monetary rewards on the criminal side will always be better; but I'd wager that there are a lot of people who would take 'steady job with some research firm, at dev/analyst pay levels+occasional fun money bounties+credit, all legal' over 'substantial monetary rewards, clandestine work for unsavory and occasionally downright problematic characters, nontrivial legal exposure'), and one might expect that MS, with their formidable war chest and serious security issues(both actual and perception-based) would find a way of converting fairly modest amounts of money into additional security. Particularly since(with the exception of Google's pet projects, and maybe a handful of other high-profile OSS projects) they could easily afford to bid better for vulnerability reports that team FOSS could, which would seem like a natural marketing bullet point...

Re:Interesting... (4, Insightful)

iamhigh (1252742) | about 4 years ago | (#33001998)

It's also a little disingenuous to compare MS to Google here. The attack surface area is at least much different; Google worries about what comes over a few ports; MS worries about that, plus locally run malware, not to mention supporting a million hardware devices and all the extras that running a generic use OS.

How about we compare MS to Apple - and neither pays for bug/vulnerability finds.

Re:Interesting... (1)

fuzzyfuzzyfungus (1223518) | about 4 years ago | (#33002112)

My comparison was merely in the service of expressing surprise: Given that Microsoft has OSS competitors, most of which are extremely poor(other than a couple of well-sugar-daddied projects), I would have expected them to adopt some sort of vulnerability payment scheme as a PR move(Look at the benefits of quality proprietary software, where we care so much that we pay for bug reports, unlike those penniless hippies), in addition to the practical benefits of scoring a few more bug reports.

Based on the assumption(which I suspect is correct) that relatively small amounts of money can modify the behavior of security researchers not already in the pockets of the spammers or hostile entities, I would expect that Microsoft could convert a fairly small slice of its war chest into a substantial body of useful bug reports, as well as researchers who now have a much stronger incentive to comply with Microsoft's disclosure preferences, rather than just slamming it up on some public forum in order to gain street cred.

Apple has some security issues(more than they let on, if anything); but they don't have a security PR problem, so I would expect them to be much less motivated about trying to buff their image.

What a load of crap (1)

Totenglocke (1291680) | about 4 years ago | (#33001690)

It is well-known that we acknowledge researcher's contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update

Yea, because we all know that people really value having their name in a newsletter over having their name in a newsletter AND a few thousand dollars....

the motivations aren't always financial? (1)

jfoobaz (1844794) | about 4 years ago | (#33001696)

Apart from the people who like to research security vulnerabilities for the fun of it, what other motivation is there? If you run a security company and finding vulns is good PR, or you're running botnets and making money from spamming and phising, or you're targeting companies for data theft, it seems like the motivations are almost always financial.

At least if you paid a bounty, you might convince a couple of the part time security researchers to make a quick buck or two - a little incentive might pay some dividends there. But more importantly, to say the motivations aren't always financial as though that's a particularly meaningful observation, that's exceedingly stupid and indicates a real lack of understanding of computer security in the real world.

Re:the motivations aren't always financial? (1)

fuzzyfuzzyfungus (1223518) | about 4 years ago | (#33001832)

The motivation is largely financial; but I think that there are a couple of psychologically salient wrinkles:

PR is financial in the sense that it is basically a flavor of advertising; but it is also the case that (some people) really do derive happiness from being seen as rockstars/badasses. As in the music/entertainment business, being seen as a rockstar is also a sound financial move; but it it something that certain sorts of people really do value for its own sake.

(Most) people respond differently to money depending on how they got it. People are much more likely to feel an obligation to spend 'routine' money(salary, etc.) in some boring and sensible way, and much more likely to feel a sense of psychological freedom when dealing with 'windfall' money(even if they actually worked hard enough for it that their hourly for that 'windfall' was worse than for their day job). Assuming that you are already comfortable enough, which is probably reasonable for a lot of the people with the software chops to do nontrivial bug-hunts, 3k isn't huge money; but 3k that feels like 'windfall' that you can spend on whatever amuses you will have psychological value higher than 3k out of your paycheck, which will automatically conjure up the list of boring household expenses that it needs to be applied to.

in after 3000 "HURR it would bankrupt them" jokes (2, Insightful)

FuckingNickName (1362625) | about 4 years ago | (#33001714)

They're right. Banks don't pay people who find ways to get into their vaults.

You're going to get better results by employing researchers with an interest in computer security. Unfortunately, these are hard to find, and most people claiming to be in "IT security" are actually just PR handwavers, egotists and people who know how to install Snort and write a few lines of Perl (I'm tempted to identify a few fairly well-known people by name, but you never start a fight with an idiot with a hammer and a conviction on appropriateness to use it...).

Fortunately, MS has the resources to find, pay and provide the right environment for such people. Hell, it has a research group which dwarfs Google in terms of variety of output and leaves Apple holding the baton wrongly at the starting line. I'm not sure it interfaces these people optimally with its mainstream operations (the whole "executive project sponsorship" thing is very political), but it has a great basis.

Re:in after 3000 "HURR it would bankrupt them" jok (1)

Z_A_Commando (991404) | about 4 years ago | (#33001928)

I agree, but my first thought was that Microsoft produces more software than Google and Mozilla combined, which creates a much larger footprint for vulnerability. This, combined with the fact that some of their software is supported for up to 13 years after it's released (Windows XP), means that it very well would cost them a fortune. And by the time they stop supporting their software, attacks which never existed in anyone's wildest wet dreams have appeared, and the 12-year-old software wasn't designed and can't be significantly rearchitected to handle such attacks. A few examples that come to mind are Windows XP and ASLR or IE 6 and ActiveX.

I also think your point that Microsoft wants people doing this for the right reasons holds significant water. Paying someone a bounty provides the wrong motivation because, instead of Microsoft and the researcher being aligned in a common goal to make software safer, the researcher and Microsoft sit at opposite ends of the table because one side wants to maximize, while the other side wants to minimize, the bounty. If the researcher goes in knowing they aren't going to get paid then there's less incentive for viewing Microsoft as a rich organization to be fleeced and more incentive to work together. Unfortunately, it seems that the researchers think they hold more cards than they do and want to get paid a bounty because "everyone else does" and it would be easy money.

Re:in after 3000 "HURR it would bankrupt them" jok (1)

guruevi (827432) | about 4 years ago | (#33001936)

Banks do people that find ways to get in their vault legally. They hire people to penetrate (har, har) their security in any way possible, they work with law enforcement and sometimes even criminals to secure both their physical as well as their virtual systems.

What Microsoft needs is first of all a restructuring of the organization - it's hemorrhaging cash, talent and image. Then they need to rewrite Windows and have a transition period where the old is virtualized much like Apple did with Mac OS X a decade ago. Sure it will take them some time but if they're candid enough about it, it will boost their image, people will want to work for them and in the long term it will save them cash. Ballmer is one of the last dinosaurs in that organization that thinks a VMS-based operating system is still up-to-date, just about anyone else in the industry has gone through major rewrites of their systems.

Re:in after 3000 "HURR it would bankrupt them" jok (0)

Anonymous Coward | about 4 years ago | (#33002016)

Banks do people that find ways to get in their vault legally. They hire people to penetrate (har, har) their security in any way possible, they work with law enforcement and sometimes even criminals to secure both their physical as well as their virtual systems.

Hey, I've seen that episode of White Collar last week, too :D

Re:in after 3000 "HURR it would bankrupt them" jok (1)

dkleinsc (563838) | about 4 years ago | (#33002102)

Banks do people that find ways to get in their vault legally. They hire people to penetrate (har, har) their security in any way possible ...

The first sentence was a rather nice bit of unintentional humor.

But your point is well-taken: the whole concept of penetration testing was originally taken from the military, which also hires teams to see if they can break their security and leave notes like "code books stolen" if they succeed.

Re:in after 3000 "HURR it would bankrupt them" jok (1)

FuckingNickName (1362625) | about 4 years ago | (#33002278)

They hire people to penetrate

Indeed. They pay people to do it, not because they've already done it. ;-)

Ballmer is one of the last dinosaurs in that organization that thinks a VMS-based operating system is still up-to-date

The NT kernel as a bastard stepchild of VMS is really not the cause of any unique-to-MS problems, and MS are experimenting with a major rewrite with Midori if that's really what you're looking for.

NT was the step up from DOS-3.1-95-98-ME becoming mainstream just a little before OS X superceded OS 9 - OS X itself being mostly NeXT work, in turn Mach + BSD + ObjC - in turn standard microkernel theory + Unix + Smalltalk. It's all a nice evolution. I don't see any benefit in making everything another Unix-alike.

Consider the "problem" of the heavy process in a VMS-derived OS. Unix (classically) says, "Let's make fork()ing quick and easy and do everything by forking." NT says, "That's better implemented by threads, with the benefit of full sharing." Midori (and others) ask, "Actually, do we need all these hardware-isolated processes in the first place?" Which is "correct"?

Re:in after 3000 "HURR it would bankrupt them" jok (1)

TheRaven64 (641858) | about 4 years ago | (#33002878)

Ballmer is one of the last dinosaurs in that organization that thinks a VMS-based operating system is still up-to-date, just about anyone else in the industry has gone through major rewrites of their systems.

Thank you, this sentence made me laugh so hard. It's wrong on so many levels I don't even know where to start with correcting you.

Re:in after 3000 "HURR it would bankrupt them" jok (0)

Anonymous Coward | about 4 years ago | (#33002138)

They're right. Banks don't pay people who find ways to get into their vaults.

MS isn't a bank, my business is a bank, and their vault better f'ing protect my customers' money.

If they aren't doing everything they can to make sure the vaults they're selling me offer that protection, they're acting irresponsibly.

Re:in after 3000 "HURR it would bankrupt them" jok (0)

Anonymous Coward | about 4 years ago | (#33002824)

They're right. Banks don't pay people who find ways to get into their vaults.

no but the vault makers do.

You're going to get better results by employing researchers with an interest in computer security. Unfortunately, these are hard to find, and most people claiming to be in "IT security" are actually just PR handwavers, egotists and people who know how to install Snort and write a few lines of Perl

regardless of who points it out, a vulnerability is a vulnerability.

Re:in after 3000 "HURR it would bankrupt them" jok (0)

Anonymous Coward | about 4 years ago | (#33002964)

>>They're right. Banks don't pay people who find ways to get into their vaults.

Well, not on purpose anyway.

YAAC (0)

Anonymous Coward | about 4 years ago | (#33001730)

The time for this announcement couldn't be better! Windows and Internet Explorer are currently completly vulnerable due to the LNK bug and they haven't even released a fix for it. The next days are going to be interesting ;)

Microsoft will always be top vulnerability king (1)

adosch (1397357) | about 4 years ago | (#33001744)

Microsoft will always sit in the highest thrown when it comes to web browser software insecurity because of that very reluctancy to not only seek white-hat/community researcher help in vulnerability assessments and testing, but also because they are too bottom-line driven to see past it.

We all have an good idea what the average annual salaries some Microsoft employees get paid and up to $3K is a drop in the bucket for someone who will willingly take hours, weeks, months or longer to find a something that will do any Microsoft operating shop or end-user a favor. That's more than getting your money's worth not to mention curbing a bad rap.

Even from a general security standpoint, having vulnerabilities exposed, fixed and put in a release keeps that particular ace-up-the-sleeve attack run that malicious cracking communities have that much less effective over time.

Re:Microsoft will always be top vulnerability king (1)

AHuxley (892839) | about 4 years ago | (#33002164)

It goes back to the mind set in their past. IBM gave MS the future of the desktop and from that point it was an endless need to expand and kill.
Code reviews are expensive when you have removed a market segment and face zero competition in the short or long term.
The cash and skill sets are needed for the next area of threat or opportunity.
They also need to make sure the next version does not face a near perfect last version.
Microsoft has no need to never listen to bugs/needs/questions/comments on past issues.
Consumers are trapped in the upgrade cycle or customers are waiting for new marketing and a roadmap to buy in.

Re:Microsoft will always be top vulnerability king (1)

mcgrew (92797) | about 4 years ago | (#33003122)

Microsoft will always sit in the highest thrown

Dew knot truss yore spill chucker.

Re:Microsoft will always be top vulnerability king (1)

adosch (1397357) | about 4 years ago | (#33003424)

You mean grammar checker, right? Should I go as far as mentioning that it was homonym issue? Grab your crayons and go back to your cave, troll.

Bad Microsoft (1)

onyxruby (118189) | about 4 years ago | (#33001840)

This is bad logic, ivory tower thinking even, they are assuming the entire ecosystem will have their chosen set of corp centric values. You would think they would have learned otherwise by now!

Vulnerabilities will be discovered, sometimes by multiple independent parties. These vulnerabilities are either going to be sold, exploited selectively (corp esp against a chosen target), exploited publicly, reserved for future use or given to the vendor.

The responsible thing is to try to move as many to the latter as possible. The most popular way to do that is with cash.

It was all well and good until... (4, Funny)

bsDaemon (87307) | about 4 years ago | (#33001868)

... they were reminded that the user is the biggest security threat to any system. Upon considering their market share they realized how potentially disastrous this would be once anyone with a phone book figured it out.

Of course MS can't afford it... (1, Funny)

Anonymous Coward | about 4 years ago | (#33001880)

...they've spent all their surplus cash paying people who forward Bill Gate's email message to 25 other people.

It's the long delays that annoy people (1)

Error27 (100234) | about 4 years ago | (#33001904)

We all know that security researchers are drama queens. As soon as they find a bug, they want to get a bull-horn out and start crowing about it.

Microsoft on the other hand says that if you don't keep it secret for months or even years then you are a bad person and will try to get you fired.

What they should do is just pay a $100 per day for keeping it secret until the bug is fixed. That way even if you don't get bragging rights, you get a pay check.

Signing a non-disclosure agreement like this is pretty normal. It's a part of most businesses but no one wants to do it for free.

When did Microsoft go Communist?! (1)

Anita Coney (648748) | about 4 years ago | (#33002014)

So Microsoft is saying that people should voluntary and collectively work on fixing and bettering software for free, without any compensation? Mmmm... [theregister.co.uk]

Re:When did Microsoft go Communist?! (0)

Anonymous Coward | about 4 years ago | (#33003336)

It seems more like they're saying they don't value the work people are doing in finding and reporting bugs to them. It seems to me, if that's the attitude, anyone who finds a bug from now on should just publicly post it online so at least admins who have a clue have a chance at patching or otherwise protecting themselves from it. I wonder how quickly they'd change their tune...

I wouldn't pay either (1)

js3 (319268) | about 4 years ago | (#33002090)

I think the money is better spent on hiring/training more developers/testers than throwing it away on some wild west style campaign to weed bugs. Besides they would get swamped with thousands of duplicate or non existent bugs because SOMEONE WAS DOING IT WRONG, not to mention the "i found it first" and other related lawsuits. Waste of time and money for everyone and you and I the consumers won't benefit one bit. Finding a bug != fixing a bug.

Re:I wouldn't pay either (2, Interesting)

drinkypoo (153816) | about 4 years ago | (#33002340)

I think the money is better spent on hiring/training more developers/testers than throwing it away on some wild west style campaign to weed bugs.

This is a false dichotomy. They have lots of other options, for example they could throw the money down the hole that is Microsoft's entertainment division, which has so far lost them billions of dollars.

"We value the researcher ecosystem... (1)

Rogerborg (306625) | about 4 years ago | (#33002168)

...and after careful appraisal we've decided that its net value to us is negative several million dollars. It would be way more, but we've already lowered expectations to the point where vulnerabilities barely register on customers' perceptions. And what are they doing to do: uninstall the OS that came 'free' with their hardware? Train their moron users on some hippyware like Lunix, or pay a premium for Apple boxes rather than buy discounted Dells? Ahahah, look, people are still buying Dells - these cretins will eat a turd if we sprinkle enough salt on it. We've got nothing to worry about.

Now, pretty please, with sugar on top, kindly Fuck Off And Die already."

There, fixed that for them.

Bounty's are unnecessary (1)

bigsteve@dstc (140392) | about 4 years ago | (#33002232)

Microsoft already have more bugs than they know what to do with. They don't need people reporting more :-)

Bounties sucks (1)

kangsterizer (1698322) | about 4 years ago | (#33002286)

The reality is that $3000 for a really good exploitable bug is cheap.

And most companies paying bounties won't pay you for a DoS you found in e.g. Chrome in 2H spare time, and only if you're lucky for things like data leak.
They're only going to pay for sure if you deliver a full blown with proof of concept and completely documented exploit that let you take over a system.

But here's the trick! Not only those take a long while to do, even for the skilled engineer (heck writing docs and stuff sucks), but $3000 is peanuts. Some companies or evil guys pay $10 000 for these (and no, you can't have the extra $3000 later because they're going to give you a NDA - but you can probably make your friend win the $3000 - that's how it works, he just rewrites what you tell him 3-6month later and on top of that you'll feel better since the bug will actually be fixed)

Re:Bounties sucks (1)

kangsterizer (1698322) | about 4 years ago | (#33002326)

To be slightly more on topic I'll add to that that Microsoft is the number ONE target and thus get a lot of bugs discovered for free. Bounties might have a small effect (partly due to what I explained before, since eventually a friend will want the $3000 right?), but certainly the small effect is more important for software companies with a lesser market share.

Take Apple for example, they'll never pay bounties (heck, those guys don't even put credits if you're not a big guy, they don't *even* mention the vulnerability if you didn't make a lot of noise about it, silent fix 6 month later no thanks nothing else than a single email "we're looking into it, please don't tell anyone about what you found - this is an automated msg please don't reply to it").

Yet they don't get *that* many exploits because its a small part of the market (coincidently (not) the number of exploits reported have rised recently as their market share has grown)

However even Microsoft has a much better security response team and passive analysis (in this case, I don't know, but I doubt Apple even has an analysis team, except for iPhone jailbreak and such stuff)

Re:Bounties sucks (1, Insightful)

Anonymous Coward | about 4 years ago | (#33002380)

Someone please mod this guy up to the top of the page.

Good exploits are being sold on the black market for $10,000 and more without the NDA shit. Unless you are very moral there is no incentive to report your discoveries to vendors at all!

How the conversation probably went... (1)

ctchristmas (1821682) | about 4 years ago | (#33002540)

Researcher: I want $3000 like Google and Mozilla pay.
Microsoft Representative: No.
Researcher: $2000?
Microsoft Representative: No.
Researcher: Could I at least meet Bill Gates?
Microsoft Representative: *sigh*No, anything else?
Researcher: Uhm... lapdance?
Microsoft Representative: Ok fine, we will pay you one lapdance or hentai dvd per bug. That is my only and final offer.
Researcher: DEAL!

Just go to 3rd party (1)

subanark (937286) | about 4 years ago | (#33002728)

There are various 3rd party research groups that you can sell your exploits too for money. They are legal, moral and assist the targeted companies in getting them fixed (and providing emergency fixes to their clients)...

This doesn't help too much when you find a non-exploitable bug though, or are we only talking about exploitable ones?

Or you can... (1)

Kalidor (94097) | about 4 years ago | (#33002852)

... do what Marc Maiffret did and turn your affiliation with Microsoft and penchant for finding and addressing vulnerabilities into a profitable career/company. Frankly, I think the credibility he earned goes a heck of a lot further for making money in the long run than a series bounties would. It also further limits any possible muck-rakers from trying to insinuate conflicts of interest.

Also, I am not sure people realize that Microsoft has made leaps and bounds in terms of how they view security/vulnerabilities since the 90's. Going beyond the chuckles: Do they have problems still? Sure, but it's no longer viewed as a marketing problem; they acknowledge it's an engineering problem and have an actual hope in Hades of fixing it compared to a company that once used to treat everything as branding and marketing.

This is what microsoft believes should be free (3, Insightful)

jhoegl (638955) | about 4 years ago | (#33003328)

I think it ironic that Microsoft is so hard core about capitalism and "paying for software", yet they will not reward those that find bugs. I mean bug finders did the hard work, they tested and retested to prove their theory, and Microsoft wants them to give it to them for free? Oh that is not even the best part. I went to report a bug to MS over the phone guess what they wanted, down payment. You know... just in case it wasnt a bug.

This just in (1)

NetNed (955141) | about 4 years ago | (#33003376)

In other shocking news, the sky is blue, water is wet, ice is cold and fire is hot.

"the motivations aren't always financial" (1)

wonkavader (605434) | about 4 years ago | (#33003404)

"the motivations aren't always financial" is a phrase I've heard before -- mostly from HR departments. It means someone who doesn't care about the product, but rather about making his/her departmental bottom like is running things.

Money never hurts, and moves mountains. Yes, some people do it for free. More people will do it if there's cash. This means Microsoft either wants to:

    1. save money (unlikely, but possible at a departmental level)
    2. not find bugs (likely -- they take work to fix and cause embarrassment)
    3. not have a simple quantifiable number associated with bugs, like "how much did you pay out this year on bug bounties?" so that consumers notice that they have more bugs than anyone else (very, VERY likely)

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>