Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security The Almighty Buck

Bill Gates Should Buy Your Buffer Overruns 196

Slashdot regular Bennett Haselton has written in with his latest essay. He starts "WabiSabiLabi generated some controversy recently by announcing their eBay-like site for security researchers to sell security exploits to the highest bidder. But WabiSabiLabi didn't create the black-and-grey market for security exploits, they merely helped draw attention to it. There's nothing that companies like Microsoft can do about the black market where security exploits sell for tens of thousands of dollars, but there's one obvious thing they can do to help protect users: offer to buy up the security vulnerabilities themselves. If they did that, then the exploits would probably never make it onto a black-market auction in the first place, because the "white hat" researchers would have found them and reported them first. Thus I think WabiSabiLabi is doing the world a favor, by shining a spotlight on the black market that thrives when companies won't pay for security bug reports." Click that magical little read more link below to continue the thought.

Really, what is a good argument against companies paying for security exploits? It's virtually certain that if a company like Microsoft offered $1,000 for a new IE exploit, someone would find at least one and report it to them. So the question facing Microsoft when they choose whether to make that offer, is: Would they rather have the $1,000, or the exploit? What responsible company could possibly choose "the $1,000"? Especially considering that if they don't offer the prize, and as a result that particular exploit doesn't get found by a white-hat researcher, someone else will probably find it and sell it on the black market instead? (Throughout this discussion, I'm using Microsoft as a metaphor for all companies which have products in widespread use, and which do not currently pay for security exploits even though they could obviously afford to.)

Perhaps you say that you would be willing to report bugs to Microsoft for free, and I respect people who do that out of selflessness, but that's not the point. Even if you and some other people would do "white-hat testing" for free, there are more people who would do it if there were prizes. The amount of people willing to do security testing for free, has not been enough to keep exploits from being found and sold on the black market -- but if Microsoft offered enough money, it would be. Obviously if Microsoft offered more than the black-market prices, everyone would just sell their exploits to them. But probably Microsoft could offer much less than the black-market prices and still put the black market out of business, because there are lots of researchers who wouldn't sell exploits on the black market even for tens of thousands of dollars, but would be willing to participate in a legal Microsoft "white hat" program for much less money.

Microsoft would undoubtedly say that they do their own in-house testing, and indeed the offer of a prize should not be used as a substitute for good security testing within a company. But at the same time, the fact that a company does their own testing isn't a good reason for not offering a prize. If a company says that they already do their own in-house security audits to catch as many bugs as they can, that still doesn't answer the question: given that a cash offer would probably result in an outsider finding a new exploit that they missed, why wouldn't they want to take it? Even if there are already outsiders who willingly find new exploits and turn them over to Microsoft for free, there's almost certainly at least one more exploit out there that would be found if they offered a cash prize. (And if the cash prize doesn't turn up any new exploits, then the company doesn't pay out and has lost nothing.)

I've done security consulting for companies like Google and Macromedia who paid me "by the bug", so you might think I'm biased in favor of more such "bounty" programs because I think I could make money off of them. Actually, I think that if Microsoft and most other large software companies offered security hole bounties to everyone in the world, almost all exploits would be picked clean by other people, and my chances of getting anything out of it would go way down, and there would be one less buffer protecting me from having to get a real job. But most people's computers would be safer.

Microsoft does in fact "pay" for security exploits in their own way, by crediting people in their security bulletins. To some people, who report exploits in hopes of being recognized, this is apparently enough. And there are third-party companies like iDefense who will buy your security exploits and then use them to gain reputation-credits for themselves, by handing them over for free to the software developer and warning their own clients about the potential risks. But there are a lot of people including me who have found exploits in the past, but don't consider the benefits of being mentioned in a Microsoft security bulletin to be worth the effort of finding a new one. And even the benefits that iDefense gets from reporting security holes, are evidently not sufficient for them to offer enough money for exploits to compete with the black-market prices (if iDefense got that much benefit out of it, then they'd be able to offer so much money that nobody would sell exploits on the black market). So using recognition as payment is evidently not enough; as Lord Beckett says, "Loyalty is no longer the currency of the realm; I'm afraid currency is the currency of the realm."

A cash prize program might mean that some people get mad when they are turned away for offering "exploits" that don't really qualify, but so what? What are they going to do for revenge, release their "exploit" into the wild? If it's not a real exploit, then it won't do any harm, and if it is a real exploit, then Microsoft should have paid them after all! Some people might threaten to sue if they aren't awarded prizes, even if the rules of the program state clearly that Microsoft is the final arbiter of what counts as an exploit. Maybe in some rare cases they would even win. But all of this could be considered a cost of running the program, just like the cost of giving out the prizes themselves -- and all insignificant compared to the cost of an exploit that gets released into the wild and allows a malicious site to do "drive-by installs" of spyware onto people's machines.

Probably the real reason Microsoft doesn't pay for security exploits is that they don't pay the full price for those drive-by installs and other problems when a new exploit is discovered. I've heard hard-core open-source advocates say that either (a) Microsoft should be held liable for the cost of exploits committed using flaws in their software, or that (b) users of Microsoft software should be held liable for exploits committed through their machines (which would drive up the cost of using Windows and IE to the point where nobody would use it). If that happened, Microsoft probably would pay for security exploits to forestall disaster. But let's make the reasonable assumption that neither of those liability rules is going to come to pass. The real price that Microsoft currently pays for security exploits is in terms of reputation, and the price they're paying right now is too low, because people don't realize that Microsoft could find and fix a lot more bugs by spending only a tiny amount of money -- but chooses not to. Despite all the snickering when "Microsoft" and "security" are used in the same sentence, most people seem to believe that Microsoft is doing everything they can to prevent users from being exploited. But as long as Microsoft doesn't pay for security holes, they're emphatically not doing "everything they can".

It's not that I think security bosses at Microsoft are trying to screw anyone over. They probably just have an aversion to the idea of paying for security holes, and what I'm arguing is that such an aversion is irrational. The people they would be paying money to are not criminals or bad people, they're legitimate researchers who just can't afford to do work for Microsoft for free when they could be doing something else for money. Offering cash will bring in new exploits, and every exploit that is reported and fixed is one that can't be sold on the black market later.

There are some interesting details that would have to be worked out about how such a program would be implemented. For example, what happens if Bob reports an exploit, and then Alice later reports the same exploit, before Microsoft has gotten a chance to push the patch out? Microsoft wouldn't want to pay $1,000 to both of them, because then whenever Bob found an exploit, he could collude with Alice so that they both "independently" reported the same bug and got paid twice. Microsoft could pay only Bob, but Alice could get so disillusioned at getting paid nothing that she might stop helping entirely. My own suggestion would be to split the money between all researchers who report the same bug in the time window before the fix is pushed out. If 10 researchers happened to report the same bug and each only got a paltry $100, some of them would quit in disgust, but if researchers start to leave because the average payout-per-person has fallen too low, then that will drive the average payout back up, so the number of active researchers stays in equilibrium.

Another issue: What happens if a researcher reports an exploit confidentially, and then the next day, the exploit appears in the wild? If Microsoft's policy was that they would pay for the exploit anyway, then a researcher would have no incentive not to sell the exploit twice, once to Microsoft and again on the black market (whereupon it might start being used in the wild). On the other hand, if Microsoft refused to pay for exploits that were released in the wild before they issued a patch, then that might leave many researchers feeling cheated if they turned in a genuine exploit and got nothing just because someone else sold it on the black market before the patch came out. My suggestion would be to simply pay for exploits even if they did subsequently get released on the black market -- on the theory that of the white hat researchers who turn in bugs to Microsoft, most of them would be ethically opposed to selling exploits to black marketeers, so they shouldn't be punished if the exploit ends up on the black market since they probably weren't the ones who put it there. Another would be to make the payout so large that even if researchers got no payment when the exploit got leaked into the wild before a patch was issued, the payout from the times that they did get paid, would more than make up for it.

But whatever rules are decided upon, there should be some sort of monetary rewards for people who confidentially report security flaws to big software companies. Whatever you can say about the merits of rewarding people through "recognition", or through social pressures to practice "responsible disclosure", the one obvious fact is that it hasn't been enough -- exploits still get sold on the black market, and every exploit that gets sold on the black market, would have been reported to Microsoft if they'd offered enough money. The talent is out there that could find these bugs and get them fixed. Most of them just can't afford to donate the work for free -- but the amount of money Microsoft would have to pay them, is far less than the benefits that would accrue to people all over the world in terms of fewer drive-by spyware installs, fewer viruses, and fewer security breaches. And if these benefits were reflected back at Microsoft in terms of greater user confidence and fewer snide jokes about "Microsoft security", then everybody would win all around. There are no barriers to making this happen, except for a mindset that it's "bad" to pay for security research. But if you prevent millions of Internet Explorer users from being infected with spyware, you deserve to at least get paid what Bill Gates earns in the time it took you to read this sentence.

This discussion has been archived. No new comments can be posted.

Bill Gates Should Buy Your Buffer Overruns

Comments Filter:
  • by Gothmolly ( 148874 ) on Wednesday July 18, 2007 @12:05PM (#19902327)
    Why couldn't I sell my exploit to the black market, THEN sell it to Microsoft a day or two later?

    -1, Duh
    • by illegalcortex ( 1007791 ) on Wednesday July 18, 2007 @12:08PM (#19902391)
      You could, and that would probably still be a GOOD thing. Because if MS fixed it quickly, it means those who purchased the exploit would get a lot less for their money. Therefore, they'd be less willing to buy exploits in the future, or at least pay less.

      Such a market wouldn't be about *exclusive* knowledge of exploits.
      • by dvice_null ( 981029 ) on Wednesday July 18, 2007 @12:52PM (#19903097)
        I got the perfect solution for Microsoft. They should call their next version of Windows a "Sheep". What kind of a criminal would risk getting cought and ending up in news articles that have titles like "Mr X got cought exploiting a hole in Sheep". How would you explain that to your parents?
      • Re: (Score:3, Insightful)

        by TubeSteak ( 669689 )

        Because if MS fixed it quickly, it means those who purchased the exploit would get a lot less for their money.
        That is a huge assumption to make.

        MS regularly sits on vulnerabilities for months instead of patching them.

        By creating such a marketplace, MS effectively gives away information on which non-public vulnerabilities they are aware of, but have yet to patch. That can't be a good thing.
        • by kimvette ( 919543 ) on Wednesday July 18, 2007 @01:57PM (#19904141) Homepage Journal

          MS regularly sits on vulnerabilities for months instead of patching them.


          Why should they fix it in the current version of Windows? There has to be a compelling reason to upgrade to the next version of Windows, and in the case of Vista, DirectX 10, the Playskool-style interface and [continue]/[cancel] thing just aren't cutting it.

          The next version of Windows will be the most secure Windows release ever. Upon it's release: Windows 2010: Upgrade now! Better virus protection! Less prone to spyware (except Microsoft-preinstalled spyware, [slashdot.org])!
          • Why should they fix it in the current version of Windows? There has to be a compelling reason to upgrade to the next version of Windows

            That may have been true 5 years ago, but leaving Windows insecure gives people just one more reason to switch to Macs or Linux boxes, and pitch the same idea to their bosses. It did for me, and now our company has a Mac on every desk.
          • by Ant P. ( 974313 )

            There has to be a compelling reason to upgrade to the next version of Windows, and in the case of Vista, DirectX 10, the Playskool-style interface and [continue]/[cancel] thing just aren't cutting it.
            That's all part of MS's clever money-sucking plan. In the next version the selling point's going to be the lack of those.
            In fact, I'd wager that was Windows ME's sole purpose.
        • Re: (Score:3, Interesting)

          by man_of_mr_e ( 217855 )
          MS regularly sits on vulnerabilities for months instead of patching them.

          So does Apache, Mozilla, and pretty much any other software vendor, either open or closed source.

          You don't really buy into that "flaws are fixed in 24 hours" BS that people like to claim about open source, do you?

          Here's a clue. When a patch is released. Look at the date the CVE was created, in almost all cases the CVE was created weeks or months earlier. It's just that the vulnerability doesn't get publicly disclosed until a patch i
      • Because if MS fixed it quickly...

        That's a mighty big if.
      • by giminy ( 94188 )
        Therefore, they'd be less willing to buy exploits in the future, or at least pay less. ...Or they'd be more willing to pay you a visit...a lot of the people buying these zero-days are Chinese military and other government-funded security groups. Not exactly the type of people that I would want to cross (or even be involved with, for that matter).

        Reid
    • by Joebert ( 946227 )
      Because whoever you sold it to on the black market would more than likely make your life a living hell, if not just kill you if they ever found out you did that.
      • by shmlco ( 594907 )
        So why not sell it to Microsoft first, THEN sell it to someone else. Odds are that they can make use of it before Microsoft gets around to fixing it and releasing it on "patch Tuesday".

        Although, when you stop to think about it, what's really stopping someone from selling it as many times as they want? If they're the kind of person who'd create it and sell it in the first place, I'm supposed to believe their "promise" that they won't sell it to anyone else?

        "No, no. This is the only copy of the disk. Really."
        • Although, when you stop to think about it, what's really stopping someone from selling it as many times as they want? If they're the kind of person who'd create it and sell it in the first place, I'm supposed to believe their "promise" that they won't sell it to anyone else?

          Um, threat of a very, very painful death? You'd be dealing with some very unpleasant people here; I think they might interpret such behavior as treachery.
    • So, will we get massive Clone armies for hunting down rebel security holes? Boba Fett to the rescue!
    • by altoz ( 653655 ) on Wednesday July 18, 2007 @12:31PM (#19902779)
      That'll work once but won't work the next time. Any market has its reputation system and if you're known to sell to both (an obvious thing since Microsoft will have patched it shortly), I'm sure people will bid less and less for your exploit.

      Plus, do you really want to screw over black market customers? They're not your typical customers. I'm sure they'll do a lot worse than not shopping from you again if you screw them over (think identity theft or worse).
      • That'll work once but won't work the next time. Any market has its reputation system and if you're known to sell to both (an obvious thing since Microsoft will have patched it shortly), I'm sure people will bid less and less for your exploit.

        If sellers with bad reputations on Ebay manage to come back with another identity and continue business as usual it seems plausible that those marketing hacks could do the same.

        Plus, do you really want to screw over black market customers? They're not your typical custo
    • Depends who you sell it to. Double-cross the wrong people and I reckon you'd be getting a beating from some nasty gentlemen. The criminals who bought the exploit might also be a bit violent.
  • by beuges ( 613130 ) on Wednesday July 18, 2007 @12:05PM (#19902337)
    What's to stop someone getting paid big bucks by microsoft for vulnerabilities, and then reselling the same exploits to the next highest bidder as well? I'd imagine that the people in the business of selling exploits to the highest bidder aren't the most ethical types to begin with.
    • by vortex2.71 ( 802986 ) on Wednesday July 18, 2007 @12:14PM (#19902477)
      Who cares how many times they sell it? The point is that Microsoft can buy it and then fix it, thus elliminating the market value of the exploit. If someone can sell it to other people then good for them. Its still in Microsoft's best interest to buy it as early as possible and fix it as early as possible.
      • by jkrise ( 535370 )
        But what if the original seller leaks it to someone else before a fix, and this new bloke tries to sell the same hack independently to Microsoft? Unless MS is telling others of what vulnerabilities and hacks they have already bought - which is unlikely if not impossible - this scheme will not work.

        In fact it could make things much worse - people will now have direct financial incentive to cause havoc by exploiting unfixed vulnerabilities.
    • Because if you do that once or twice you will get tracked down via the money lead. If I were MS or any other customer I would require some identification, preferably through the financial institution that I'll be sending the money to.
    • by kebes ( 861706 )
      But who is the "next highest bidder"? If you sell your vulnerability to MS and also the black-market, for instance, then you're screwing both of them... and they will notice. MS will notice the vulnerability in the wild, and if it happens repeatedly, they will probably stop trusting you.

      If the black-market guys notice that MS came up with a patch surprisingly quickly after you sold them the exploit, they are going to be very angry, because you've very much decreased the value of the exploit. And I would ima
    • It makes far more sense to be a legal, well rewarded security researcher with a useful CV than a criminal. Nothing gives a person ethics like being well paid for it.
    • I wouldn't worry about it. The original post has some misguided view of reality, with a misguided enough perspective to not realize what is wrong with it when put to practical use.
    • I wonder if this strategy could be used as a means to averting terrorism?

      That is, don't just offer large amounts of money for the most important terrorists (like bin Laden), but also offer varying amounts of money for reports that stop terrorism.
      • Re: (Score:2, Insightful)

        by disasm ( 973689 )
        Great idea...

        Yes, is this the US government? Yes, I got word that Bat_Masterson is planning to blow up the whitehouse. I think you should go arrest him and give me $5000 for reporting this incident before he could wreak havoc. What he's an upstanding citizen? No that's just a front he's pulling he really is a terrorist and needs to be dealt with. Okay, I'll get the check in the mail next week, sounds good to me. Glad to do my part in averting terrorism.

        Sorry Bat, I know you weren't planning that, but I real
  • Economics (Score:5, Insightful)

    by gad_zuki! ( 70830 ) on Wednesday July 18, 2007 @12:06PM (#19902361)
    If MS offers 10,000 dollars per exploit then thats going to be the minimum bid in the market. Someone will then offer 10,500 and the enterprising hacker will go for the extra cash. I dont see how MS's involvment can help this.

    What might be more interesting is to dock 10,000k from the salaries of the security team everytime someone finds a serious exploit. Sometimes punishments are far more effective than rewards.
    • Re:Economics (Score:5, Insightful)

      by cowscows ( 103644 ) on Wednesday July 18, 2007 @12:21PM (#19902615) Journal
      Yeah, except that you'd very quickly find yourself without a security team.
    • Re: (Score:3, Insightful)

      by MartinG ( 52587 )
      What might be more interesting is to dock 10,000k from the salaries of the security team everytime someone finds a serious exploit

      Who the hell is going to work there with such an utterly idiotic policy?

      Surely one aspect of this is that they should be looking to attract good people to the team. Threats of "fines" is hardly the way to do it.
    • by benhocking ( 724439 ) <benjaminhocking@NOspAm.yahoo.com> on Wednesday July 18, 2007 @12:26PM (#19902699) Homepage Journal
      There are a lot of intelligent people who would be willing to do it legally for far cheaper prices than the black market will pay to do it illegally. Not everyone is immoral. Personally, I'd like to believe that most people are basically good people.
      • And those're just the ones who are going to actively pursue this.

        There's the other side... those who find a problem, and just don't do anything about it. Why should I go to the MS website and hunt for an hour for a link if I find an exploit? I could just forget it and move on with my life and do work which actually generates a paycheck.
      • Re: (Score:2, Insightful)

        by Peacenik45 ( 988593 )

        Immorality has nothing to do with it. I don't think there's anyone out there who willingly would do something wrong or 'evil'.

        It's just that when you're faced with the opportunity to sell something you worked hard on (or chanced upon) for a lot of money, you probably will want to get as much of a return on your work as possible. You don't want to be the shmuck who turned down $1000 because he was worried about the exploit ending up in the wrong hands. You'd try to justify it. You'd think 'Oh, Microsoft wo

        • It's just that when you're faced with the opportunity to sell something you worked hard on (or chanced upon) for a lot of money, you probably will want to get as much of a return on your work as possible. You don't want to be the shmuck who turned down $1000 because he was worried about the exploit ending up in the wrong hands. You'd try to justify it. You'd think 'Oh, Microsoft would find out about this eventually' or (as somebody else commented) 'Microsoft probably wouldn't patch this immediately anyways'

      • by AusIV ( 950840 )

        There are a lot of intelligent people who would be willing to do it legally for far cheaper prices than the black market will pay to do it illegally.

        Reminds me of the piracy debate. I've long said that part of the problem with piracy is that the pirates offer better (less restrictive) products than the original media producers, and that the media producers might see a boost in sales if they started selling unrestricted products more equivalent to what you can get from a pirate. Personally, I prefer to get

    • Re: (Score:3, Insightful)

      by fermion ( 181285 )
      In summary, the exploit will generally be more valuable to the attacker than the defender, for many different reasons. Mainly, a baddie might buy a ten exploit for $150K, use one or 2, perhaps make 200K, and while the profit margin may not be great, a profit might at least be generated. On the other hand, MS might get those same exploits for $100K, but where is the upside? Did the exploits cost them anything? No, they externalize all those expenses to the government and the customer. Sure they can affo
    • What might be more interesting is to dock 10,000k from the salaries of the security team everytime someone finds a serious exploit. Sometimes punishments are far more effective than rewards.

      Let's fire one police officer for every crime that isn't prevented. Brilliant!

      Here's a thought. Read the entire summary - the theory is to have an incentive for white/gray hats to get more involved, and so decrease the value of exploits by finding and patching them sooner. There is nothing you can do about the people who
    • What might be more interesting is to dock 10,000k from the salaries of the security team everytime someone finds a serious exploit. Sometimes punishments are far more effective than rewards.

      Wrong. Studies have shown that negative reinforcement often has the reverse effect due to the fact it breeds contempt. After you punish the security so much that they have little left to work for, they'll probably start including exploits for spite.

      Its human nature.
    • If MS offers 10,000 dollars per exploit then thats going to be the minimum bid in the market. Someone will then offer 10,500 and the enterprising hacker will go for the extra cash.

      Only if you assume the amoral hacker.

      I posit most people are moral, and most people also have to pay the bills. Given the choice between $0+morality and $2500+immorality, most will chose the second, because $0 gets you starved and on the streets. But given the choice between $10K+morality and $10.5K+immorality, most will chose t
    • by Sapphon ( 214287 )
      Having the minimum bid price raised to $10'000 isn't an issue if Microsoft, as discussed in the write-up, continues to offer the $10,000 even after the bug has been sold on the black market. In this scenario, it's no longer a single market, and the economically rational thing for the exploit -finder to do is to sell the exploit to both parties.

      I've seen posts arguing that if you do this (sell to both), the black market will stop trusting you and won't pay for your exploits. In that case, those sellers may c
    • What would you rather have, an extra 500 dollars or knowing that you don't have to worry about the feds kicking your door in and dragging you off to jail, or worse, the Russian Mafia dragging you of to a meat locker somewhere to face Boris the Bear and his assorted woodworking tools who informs you 'Exploit not be working, now I show you how Boris do hacking, eh?'
    • Security isn't just the responsibility of a "security team". Security is something you have to build in throughout the software. Which means docking pay from the security folks will probably just mean less security folks at your company, which means less oversight of the code, which means even less secure software than you've got now.

      For the above policy to even have a chance at working, you'd have to apply it to every developer. And suppose you did that - now you've created an incentive for the developer
    • by syousef ( 465911 )
      What might be more interesting is to dock 10,000k from the salaries of the security team everytime someone finds a serious exploit. Sometimes punishments are far more effective than rewards.

      You sir are a total moron. You've also just demonstrated the very worst spirit in an employer-employee relationship. I hope you're not a manager and I hope you never are one.

      First of all it's not always possible to fix every serious flaw immediately.

      Secondly security is always a tradeoff with ease of use of a system. Som
  • outsourced testing (Score:4, Insightful)

    by ecklesweb ( 713901 ) on Wednesday July 18, 2007 @12:07PM (#19902381)
    Almost sounds like an argument to outsource testing to the general public and pay them for it. Not sure why MS would do this when they've been outsourcing testing to the general public for years and charging licensing fees for it!

    Cynicism aside, do you think that it really makes business sense for MS to pay for vulnerabilities? Has their revenue really been hurt that badly from their current security practices?
    • The key question is, IMO, has their revenue been hurt more than it would cost to pay for vulnerabilities? I'd say it has. Sure, you could argue that the revenue loss is not a large percentage of their total revenue, but presumably paying for the vulnerabilities would cost even less.
    • Re: (Score:3, Insightful)

      by mr_mischief ( 456295 )
      I'm not sure it's cynicism when it's so obviously true. In Microsoft's defense, it's very difficult to properly test everything for stability and performance against all the third-party hardware and software out there.

      It's not that difficult, though, to check for buffer overruns, array bounds violations, and stack overflows these days. It's also not that difficult to use proper security protocols as opposed to crap like PPTP, for that matter.

      I think Microsoft's public image has been hurt pretty badly by the
  • Yeah this (Score:4, Insightful)

    by Dunbal ( 464142 ) on Wednesday July 18, 2007 @12:09PM (#19902399)
    Makes much more sense than actually writing secure software in the first place, doesn't it?

    This is a silly idea. It assumes that if Microsoft pays someone to keep quiet about a security vulnerability, no one, ever, will independently discover this SAME vulnerability. Human nature dictates that when you hand out money, you will quickly have people waiting in line.

    Reminds me of the romans paying the barbarians NOT to invade them. Sure, give your enemy an income and make him rich. Makes a LOT of sense...
    • Re: (Score:3, Insightful)

      by khallow ( 566160 )
      Sounds more analogous to bribing some barbarians to tell you what the tribe is thinking of doing. Then you can patch up your defenses and anticipate the sometimes enemy.
    • Re: (Score:3, Informative)

      by vfrex ( 866606 )
      What does it matter if the same vulnerability is discovered? Microsoft would buy the knowledge of the exploit, patch it, and it would no longer be an issue.
    • by knewter ( 62953 )

      It assumes that if Microsoft pays someone to keep quiet about a security vulnerability, no one, ever, will independently discover this SAME vulnerability.

      Don't be retarded. It doesn't mean that. It means that a lot of times the ethical researchers will stay quiet, the group of people looking at bugs might increase (and would only get denser in the 'ethical' category). It means that MS will get first dibs on exploits rather than try to start thinking about a patch AFTER Code Red. It means an awful lot of good stuff. It's a good idea, for all of the thoughtful reasons mentioned in the article.

      Don't do his logic the disservice of being viewed on the same

    • I think they pay so they can LEARN about the vulnerability and patch it, the fact that Microsoft isn't paying for these vulnerabilities is that they're maintaining the stance that they don't want to deal with criminals (how ironic from Microsoft) rather than actually admitting they can't fix all the bugs in their POS software in a timely fashion.

      The most interesting thing about this is that these vulnerabilites are already available in the wild. Hackers only need 1 or 2 -- of however many are openly avail
  • So the question facing Microsoft when they choose whether to make that offer, is: Would they rather have the $1,000, or the exploit? What responsible company could possibly choose "the $1,000"?
    The short answer is that Microsoft just doesn't give a damn. They fix security holes when forced to. If they were a grocer, you'd have to prove to them that you have shit before they'd sell you toilet paper.
    • Re: (Score:3, Funny)

      by Cro Magnon ( 467622 )

      If they were a grocer, you'd have to prove to them that you have shit before they'd sell you toilet paper.


      I'm running Windows! What more proof do you need?!
    • by Ant P. ( 974313 )
      More likely if they were a grocer, you'd have to prove you have shit before they stop trying to charge you for its weight in fresh vegetables.
  • Lengthy. (Score:5, Funny)

    by Funkcikle ( 630170 ) on Wednesday July 18, 2007 @12:12PM (#19902439)

    Click that magical little read more link below to continue the thought.
    At 11508 bytes, I am afraid my interest buffer would be overrun.
  • Read more? (Score:4, Funny)

    by yanos ( 633109 ) <yannos@@@gmail...com> on Wednesday July 18, 2007 @12:18PM (#19902559)
    Click that magical little read more link below to continue the thought.

    No no no no. That's sooo web 1.0. Now we say after the jump! You're so out of touch with the current trends of the blogosphere!
  • Good idea but (Score:4, Insightful)

    by sheriff_p ( 138609 ) on Wednesday July 18, 2007 @12:25PM (#19902681)
    I think this is a good idea, but it's unlikely to happen - by buying such a thing, Microsoft sets themselves up in a position of liability - something that software vendors have so far largely managed to avoid.

    Say they buy one exploit, but not another, and some company gets caught by the other. Microsoft have put themselves in a pretty nasty legal liability position there.

    Additionally, it'll look a lot like endorsement of black-hat practices, something MS will want to avoid... ...
  • Shout from the highest roof top in every city that black hats should be hanged. It won't be long before there's a mob ready to hang black hats. Better still, Microsoft comes out looking like the good guy.

    Microsoft has employed this strategy for at least a decade now.

    This story is preposterous.
  • This assumes that the 'best' exploits make it to some sort of market. In my experience, the best ones are written as works for hire by organizations intent on committing political, industrial or financial espionage. They tend not to be widely distributed and don't produce easily detectable fingerprints in the form of network traffic, strange PC behavior, system crashes, etc. Many have yet to be discovered.

    The prices that these sorts of exploits command would make a significant hole in Microsoft's finances.

  • I guess I'm confused as to why this is different than the government/police offering up rewards for criminals and fugitives? Sure it would be nice if Microsoft could solve all of this beforehand with some well written code, but I can understand how things get through considering the size of their code base and the numbers of people trying to collaborate.

    If we don't have a problem with paying to get criminals off the street, why should we care if someone is getting paid for an exploit. If all these 'ga
  • What's the incentive? Yes, people bash MS, and complain about all the bugs and exploits, but I don't think it's hurting their bottom line, so they've got no reason to change. I think it would be great and logical to have some kind of discretionary monetary reward system for reported vulnerabilities (just like you might reward someone who returned a lost wallet or something), but I'm a regular person. A high-level manager might see several problems with this:
    • Once you pay for the vulnerability, you've ba
  • Wouldn't work. (Score:3, Insightful)

    by Spy der Mann ( 805235 ) <spydermann...slashdot@@@gmail...com> on Wednesday July 18, 2007 @12:41PM (#19902917) Homepage Journal
    OK, give us your info, and we'll pay you if we consider it's genuine.
    (2 days later) Guess what, it's not a true exploit. Sorry, no pay.
    (1 week later, at Windows update) We've fixed a patch for a recently discovered vulnerability!
    • by Sapphon ( 214287 )
      (1 week later still) Hey, I found another exploit! Should I report it? You know what.. let's exploit that sucker.

      You're supposing that large companies are naive enough to value the short-term gain of saving on one payout over the long-term gain of having freelance bug-finders out there. Is that realistic?

      (remember, this article is about ALL large software companies, even if only one of them has been used as a stand-in)
  • Rewarding unethical behavior?

    What could *possibly* go wrong?
  • Would be for Microsoft to simply open source the entire Windows kernel and everything else. Winning the security race is an impossible task these days - it means buying positive press, paying for scumbag hackers who have no scruples etc. etc. It's clear over the past decade that it is impossible to add security as an after-thought to a shoddy security model.

    If MS releases everything else except a few secrets and binary drivers, these security researchers will find their entire industry crumbling down instan
  • by Archie Gremlin ( 814342 ) on Wednesday July 18, 2007 @12:46PM (#19902997)
    In my experience, MS aren't interested in reports of security holes anyway.

    I found a security hole in an MS product about 6 months ago so I sent a full description with working test code to secure@microsoft.com.

    I got an automated response (so far so good) but then I heard nothing more. After a month, I sent them another email to ask if they were doing something. Silence. Another month later I rang Microsoft support and asked them to give me an update. They told me that the case number doesn't exist and that they don't have a department called the "Microsoft Security Response Center".

    Eventually I found an engineer who does support for the product with the security hole. He said he'd heard a _rumour_ about the MSRC and offered to track them down. Eventually, I got an email update from them saying "we might get round to fixing it in a few months."

    In short, if they're not interested in free security reports, why would they pay for them?
    • by tqbf ( 59350 ) on Wednesday July 18, 2007 @01:10PM (#19903401) Homepage

      I'm not sure why people are modding up a post that claims that the MSRC is a "rumor" inside of Microsoft. The MSRC is famous; news stories are written when people move to and from the group. They release all the Microsoft advisories, each of which typically elicit yet another news story. A position in the MSRC was listed as "one of the worst jobs in science" in SciAm (obviously wrong; people compete to get jobs there).

      Why don't you tell us more about the security flaw you claim to have found?

  • What about the exploits that aren't accidents, but are actually designed in, ie (har-har) Active-X controls that allow anyone to execute arbitrary, unrestrained code on every system that visits a website. Paying for someone to report these obvious exploits would amount to paying someone to call you an idiot.

    The author's problem is that he thinks Microsoft should be concerned about delivering a good product. Everyone privy to how corporations work knows that the goal is only to deliver a product that the c
  • No technology company in the world spends more money on security testing than Microsoft does. At any one time, it's likely that Microsoft retains a plurality of the security testing industry to perform code review and black-box testing on the myriad of products they are releasing this cycle. These aren't Microsoft employees; these are team members of the boutique security consultancies being paid directly by Microsoft to find vulnerabilities in products before they ship.

    Microsoft is already paying for vuln

  • Does he realize that he is talking to people who write software and operating systems in their spare time and give it away for FREE?? And he is trying to justify his greed to people who would mostly do what he wants for free as well? And he tries to manipulate us into thinking it's ok by using Microsoft as an example.

    If he wants to try to make money off of exploits and the like, then let him go take it up with the vendors. There is no reason to try to appease his conscience by preaching here that we sh
  • As many people have pointed out, Microsoft's problem is that they don't seem to take the "big picture" approach to bug fixing often enough. I mean, how often have we known that buffer overflows are a problem? Microsoft itself even has a page on safe string handling functions [microsoft.com] to replace strcpy and its ilk. Switching to these functions is trivial.

    Microsoft has harder problems facing it-- buffer overflows are only one class of problem. But it seems that Microsoft's highly compartmentalized development p
  • Step 1. Discover Exploit
    Step 2. Submit Exploit to MS for prize
    Step 3. MS rejects exploit saying they already were aware of that, thank you, try again.
    Step 4. MS patches previously unknown vulnerability using free 0 day information.
    Step 5. MS gets great PR for stepping up their security program and fixing tons of stuff.

    You MIGHT get some of the big players to go ahead and play along and pay. But given the behaviors of most of the companies involved in the major security issues...good luck getting
  • People keep submitting stories to Slashdot about WabiSabiLabi, but when you go there, there really isn't anything to see. Is WabiSabiLabi the story, or is the story WabiSabiLabi? Look, six months from now, WabiSabiLabi will be gone for fairly obvious reasons. It was a fair shot at Internet cash, but the Dot Com bubble burst, and people just are not really interested in that kind of business model anymore.
  • This idea may seem great on paper, but in order to buy an exploit, a person would have to provide payment, which is the fatal flaw. Now, lets say the feds want to get a quick list of people that may be using exploits for unlawful computer access. subpoena the DB of the exploit auctioneer, and wa-la, a giant list of exploit users. Like shooting fish in a barrel. something tells me this exploit auction system may work ok if companies purchase it, but i dont think underground exploit buyers are going to surfa
  • Fortress (Score:2, Funny)

    by Spazmania ( 174582 )
    there's one obvious thing [Microsoft] can do to help protect users: offer to buy up the security vulnerabilities themselves.

    Sure, because the way to keep folks off your lawn is to erect a fortress and then reward anyone who breaches it with cash.

    • by Sapphon ( 214287 )
      It's not Microsoft's lawn, it's Joe User's lawn; Microsoft is selling the fortress, and paying for anyone who reports a (literal) back door so they can nail it shut.

      Joe User's lawn is better protected, and Microsoft sells more fortresses.
  • Microsoft Pension Plan:

    1) Get a job on the Microsoft Windows team.
    2) Build in a bunch of exploits.
    3) Retire.
    4) Expose the aforementioned bugs.
    5) ????
    6) Profit!

  • All your buffer overruns would belong to Gates.
  • Sure some people would be "legit" and sell the exploits to companies. Others just want to be "l33t" and get them out there on the inter-tubes. If the monetary incentive were good enough, I think the balance would tip, for a time, to selling the exploits to companies.

    However, I think this approach would go down in flames in a matter of months. Why? Well I worked for 3 fortune 500 companies and anything that happens in these large companies is very, very slow. Microsoft or any other company buying exp
  • ... after all, if I told a company that I had found a security exploit but wouldn't give it to them unless they paid me for the information, I think they'd call the FBI. Some circles call this "blackmail."

    This is a proposition filled with potential hazards to the exploit finder so, ironically, the safest and most profitable means of disclosure is through black auctions of some sort or another.

    I believe a LAW would actually have to be written to exempt security experts from civil/criminal prosecution before
  • by gatesvp ( 957062 ) on Wednesday July 18, 2007 @05:09PM (#19906847)

    Look, there are lots of good explanations here, and personally, I'm a fan of the "bounty system". When I first saw "bounties" for Ubuntu I was overjoyed! Feeding IT people is really important for IT growth.

    However, in this case, the logical flaw is actually the market, do a cost/benefit analysis. Microsoft, as a monopoly, does not make or lose any significant amount of money on OS security flaws. Companies with a budget capable of supporting security flaw bounties, don't actually need them short-term.

    These big companies are publicly held and security flaw bounties do not help quarterly profits, or even annual profits (why these are important is a different issue). If I have SAP running my 10,000 employee business I can't just leave b/c SAP has too many security holes, moving is very expensive. It's probably cheaper to eat a small customer lawsuit than to switch systems. Now, if I'm really smart/motivated/scared I may move off on the next upgrade cycle, but these cycles only happen every 5-10 years. So SAP won't set up public security bounties b/c it is not beneficial to their shareholders in any way they can fathom. MS has the same deal, sure they can make the OS/DB/IIS more secure, but it must already be secure enough as nobody's leaving, right?

    You have the right idea, but the impetus for broad security testing is simply not there. The only people who would "benefit" from such bounties are actually the unestablished new-comers or the competitors to monopolies (like Linux providers). With an open bounties system, these companies can use the security feature as leverage for marketing their product. But these are still very long-term deals and such a company would need to convince investors that the long-term benefits of such an action outweigh the short-term costs.

    In the case of say, Linux and LAMP and PostGreSQL, we're probably there. These guys are great candidates for such open bounties. And these long-term activities are likely to pay off. Mac OS X may benefit from the same interest as they try and poach desktop/home users. But MS and SAP and other dominant players can't deliver better profits to their investors with such a system, so they won't do anything until investors get scared and start demanding one. We're not there yet.

  • It seems to me that this whole area is fraught with problems, and that the proponents of a "free market" are missing some of the history here.

    #1 The history of paying for exploits.
    This is a relatively new phenomenon, but historically where it has happened vulnerabilities have been purchased on the black market, by security research companies such as iDefense (now a subsidiary of Verisign). The reason that these companies did this is because these were (and are) exploitable, and were being happily used b

"Conversion, fastidious Goddess, loves blood better than brick, and feasts most subtly on the human will." -- Virginia Woolf, "Mrs. Dalloway"

Working...