Microsoft Says No To Paying Bug Bounties

Trailrunner7 writes "In the wake of both Mozilla and Google significantly increasing their bug bounties to the $3,000 range, there have been persistent rumors in the security community that Microsoft soon would follow suit and start paying bounties as well. However, a company official said on Thursday that Microsoft was not interested in paying bounties. 'We value the researcher ecosystem, and show that in a variety of ways, but we don't think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren't always financial. It is well-known that we acknowledge researcher's contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update,' Microsoft's Jerry Bryant said."

Interesting...

[fuzzyfuzzyfungus]

There are certainly downsides to the bounty approach(once you put money on the table, priority disputes turn from prima donna drama bullshit into actual-with-lawyers drama shit; not to mention the hideous quibbling about exactly what constitutes a "vulnerability", how severe it is, and so forth).

On the other hand, handing out hard cash, in addition to credit, can certainly be motivational(yes, the monetary rewards on the criminal side will always be better; but I'd wager that there are a lot of people who would take 'steady job with some research firm, at dev/analyst pay levels+occasional fun money bounties+credit, all legal' over 'substantial monetary rewards, clandestine work for unsavory and occasionally downright problematic characters, nontrivial legal exposure'), and one might expect that MS, with their formidable war chest and serious security issues(both actual and perception-based) would find a way of converting fairly modest amounts of money into additional security. Particularly since(with the exception of Google's pet projects, and maybe a handful of other high-profile OSS projects) they could easily afford to bid better for vulnerability reports that team FOSS could, which would seem like a natural marketing bullet point...

in after 3000 "HURR it would bankrupt them" jokes

[FuckingNickName]

They're right. Banks don't pay people who find ways to get into their vaults.

You're going to get better results by employing researchers with an interest in computer security. Unfortunately, these are hard to find, and most people claiming to be in "IT security" are actually just PR handwavers, egotists and people who know how to install Snort and write a few lines of Perl (I'm tempted to identify a few fairly well-known people by name, but you never start a fight with an idiot with a hammer and a conviction on appropriateness to use it...).

Fortunately, MS has the resources to find, pay and provide the right environment for such people. Hell, it has a research group which dwarfs Google in terms of variety of output and leaves Apple holding the baton wrongly at the starting line. I'm not sure it interfaces these people optimally with its mainstream operations (the whole "executive project sponsorship" thing is very political), but it has a great basis.

Re:Translation:

[Anonymous Coward]

There's worse...

"We can't afford to get into a bidding war with malware authors."

Re:Or it could be because they would be bankrupt .

[ergrthjuyt]

Or it could be because they would be bankrupt within the week.

But why? It's not like there's likely to be millions and millions of bugs that Microsoft doesn't already know about. Bounties are only awarded for previously unreported bugs, otherwise there would be no limit to how much anyone could collect from the company. It is doubtful that Microsoft's decision was primarily because of what it would actually cost them in payouts.

Re:Translation:

[msauve]

Actually, your claim supports his.

If there weren't lots of bugs to be found, they wouldn't need so many test engineers. Are you trying to claim that all those test engineers find all the vulnerabilities in MS products before release? That would be the truly comical claim.

Re:Or it could be because they would be bankrupt .

[mcgrew]

It's because to Microsoft, and undiscovered bug is a nonexistant bug. Their "security" model has always been "security through obscurity". Their philosophy is "why fix a bug if you don't have to?"

And they modded you "funny" but you're absolutely right, sorta, even if a little exagerated; they have more far more dollars than sense. Well, maybe not sense; ethics.

Re:Not enough money in the world

[hedwards]

And yet, free projects like OpenBSD have so many fewer security problems. I have a really, really hard time grasping on what level MS is doing a good job. They typically refuse to acknowledge bugs until they've patched them and insist upon releasing them on patch Tuesdays without giving responsible end users the ability to patch up as soon as the patch is tested.

Yeah, that's a description of a competent organization. Perhaps if things are that complicated they should be removing things like WiMP and IE which have no place in the base system to focus on making things be actually secure.

Re:Interesting...

[iamhigh]

It's also a little disingenuous to compare MS to Google here. The attack surface area is at least much different; Google worries about what comes over a few ports; MS worries about that, plus locally run malware, not to mention supporting a million hardware devices and all the extras that running a generic use OS.

How about we compare MS to Apple - and neither pays for bug/vulnerability finds.

Re:Translation:

[Zironic]

Or just a really big product?

Re:Translation:

[ergrthjuyt]

Actually, my claim doesn't support his. He claimed that Microsoft "can't afford" or chooses not to pay people to find bugs in their software. I asserted this was false because of the large number of (well paid) test engineers whose full time jobs are to find bugs.

Are you trying to claim that all those test engineers find all the vulnerabilities in MS products before release?

I never even came close to making such a claim. Nice try though.

If there weren't lots of bugs to be found, they wouldn't need so many test engineers.

I'm not sure what point you're trying to make. Anyone with even rudimentary exposure to software development or testing theory understands that having tests is not a sign that a product is buggy. Quite the opposite actually.

The fact is that Microsoft's products are heavily tested and they care a lot about security (backed up with money to pay for testers -- lots of them). This isn't to say that they are perfect or never make bad security design decisions, but any assertion that they don't care about security or bugs is provably false.

Re:Bounties sucks

[Anonymous Coward]

Someone please mod this guy up to the top of the page.

Good exploits are being sold on the black market for $10,000 and more without the NDA shit. Unless you are very moral there is no incentive to report your discoveries to vendors at all!

Re:Translation:

[msauve]

As they say, "the proof's in the pudding." MS has earned a reputation for vulnerabilities in their software. You seem to be equating "bugs" with "vulnerabilities." The latter is a subset of the former. How many of those "large number of (well paid) test engineers whose full time jobs are to find bugs" are focused on discovering new vulnerabilities, as opposed to simply doing regression testing vs. a defined feature set?

And, since your argument now seems to be that money is not what drives people to find vulnerabilities (which is what MS was arguing, according to the summary, and what the OP was ridiculing), what do you propose drives the "bad guys" to find them?

Re:Or it could be because they would be bankrupt .

[thoth]

It is doubtful that Microsoft's decision was primarily because of what it would actually cost them in payouts.

I agree... we can make fun of how much money this would cost Microsoft, but they can afford it. It is obvious they don't want to for. Some possible reasons:

1) Announcing a paying bug bounty, like Knuth had with TeX, implies the code is so high quality they are looking for the last few issues. But they have a very large attack surface area, and their code is constantly changing.

2) They've spent millions educating their developers and testers over secure coding and testing practices, and to be fair have made good progress. Announcing a paying bug bounty probably irriates the bean counters who are asking, aren't we already paying for people to work on security issues?

3) Cultural issue? Mozilla and Google are willing to do it, and they have extensive experience in free/open source software. Microsoft, not so much.

It is interesting they don't want to do it though.

Re:Translation:

[rtb61]

What happened was M$ went really performance based in their bonus schemes, the more code you produced the more you got paid and the quicker you produced that code the sooner you got your money. Catch with that, performance often does not equal quality and unwittingly they penalised coders who produced well crafted, carefully thought out, compact code (the code you actually want). They did this for long enough to establish bad bloated coding styles as the norm, hence the problem.

Why M$ wont pay for bug bounties, has slashdot gone quitely loopy. Why would M$ marketdoids pay people to make their products look bad. Oddly enough for open source paying bug bonuses looks good and demonstrates responsibility but, for closed source their marketing claims are that their products are perfect the best software there ever has been and paying bug bonuses directly undermines that claim. With open source the claim is, it is the best we can do and we will continue to work at making it better and be honest about it qualities and faults, so bug bonuses makes real sense.

Re:Or it could be because they would be bankrupt .

[v1]

That was the first thing that came to my mind. Though on consideration it would take quite a lot to bankrupt MS.

But the unfortunate thing here is there's already a thriving market for zero-day MS bugs. These get bought and sold already on a daily basis on the underground malware networks. You've already got groups of people that make a living out of finding bugs in your software and selling them on that black market. Instead of letting them sell them to people that are basically your competitors, (or at least your PR antichrists) it makes sense to either hire them or become their best customer. either of which them will either kill or severely depress the market for exploits. Once MS becomes a bidder for the exploits, with its deep pockets, that alone will drive a lot of the malware authors out of business because they will no longer be able to afford to bid on a new zero-day to keep their malware effective as MS gets things patched at a highly accelerated rate.

What they have here is an opportunity, and I can't believe they're going to let it slide. Makes me wonder if someone's ego/pride is driving their decision here, rather than good business sense? Even in the short term I don't see any way that this could be anything but a monetary win. Unless they think (again, in their pride and obstinence?) that they're so big now that they don't need to be bothered with improving their image or reputation anymore. Or maybe they've already considered this and it is unfortunately in their best interest to let their customers twist in the wind rather than spend a few bucks.

Re:Or it could be because they would be bankrupt .

[Anonymous Coward]

Because they would have to have a system where bugs are identified and tracked.
Telling researcher X that that hole was KNOWN for 2.5 years but not fixed would cause plenty of embarrassment and negative publicity.

For Microsoft, Honest is not the best policy - they are more of a let the dog sleep company, good enough type company.

Re:Translation:

[msauve]

Paying a bounty is paying only for results. You get a validated vulnerability every time you pay, guaranteed. Paying someone a salary to look for vulnerabilities provides no guarantee that you will successfully find one. How many vulnerabilities are found by this "large number of (well paid) test engineers?" Are there 1000 of them (probably many more)? Do they cost MS $100K each (probably much more) per year? Do they find 1000 x $100000 / $3000 = 33333 vulnerabilites each year? Not based on what MS reports for their patches.

NASA doesn't make the details of their designs available to the general public, nor is there a space vehicle sitting in virtually every home or business which can be examined, so your strawman fails.

Many people report bugs to Microsoft without compensation, why start paying for them now?

To find more vulnerabilities, by getting more people involved. Do you think that offering a bounty provides a disincentive, and would result in fewer reports? Mozilla and Google don't seem to think so.

OTOH, you're probably right about a bounty from MS being a bad thing - if MS were to pay a bounty, they would no doubt make people sign a contract that the vulnerability couldn't be publicly disclosed until a patch was released, then continue to ignore it for as long as they wanted.

This is what microsoft believes should be free

[jhoegl]

I think it ironic that Microsoft is so hard core about capitalism and "paying for software", yet they will not reward those that find bugs. I mean bug finders did the hard work, they tested and retested to prove their theory, and Microsoft wants them to give it to them for free? Oh that is not even the best part. I went to report a bug to MS over the phone guess what they wanted, down payment. You know... just in case it wasnt a bug.

Re:Or it could be because they would be bankrupt .

[mqduck]

It's because to Microsoft, and undiscovered bug is a nonexistant bug. Their "security" model has always been "security through obscurity". Their philosophy is "why fix a bug if you don't have to?"

I think it's simpler than that. They're thinking "why pay for a bug report when you don't have to?" They said it themselves, "we don't think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren't always financial." Is there any lack of people willing to expose Windows bugs already?

Re:Translation:

[ergrthjuyt]

Paying a bounty is paying only for results.

Only if you think reviewing the thousands of "reports" submitted to claim a bounty can be done for free. You could easily spend millions (e.g., ~10 employees) going through the list and not find a single actionable bug. You think every report is going to be a genuine, original vulnerability? Get real.

Do you think that offering a bounty provides a disincentive, and would result in fewer reports?

There is substantial evidence from the field of psychology that paying for something displaces the original incentive to do it for free. If Google and Mozilla ever ended their bounty program, their rate of reports is virtually guaranteed to fall below the reporting rate from before the bounty was offered. I encourage you to look at the contemporary research in human motivation.

NASA doesn't make the details of their designs available to the general public

...and you've inadvertently stumbled on the answer, congratulations. Microsoft's programs are closed source, which is an important difference. Their testers can do full white-box vulnerability assessments and will be able to do more than some guy who picked up the DVD at Best Buy.

You're implying that Microsoft is either stupid or stingy and that they made the wrong call. I'm pretty sure they thought about it longer than you did, with more metrics and research than you have, and just decided it wasn't worth it. Perhaps you should consider this a possibility instead of just assuming you're right.

Re:Or it could be because they would be bankrupt .

[Anonymous Coward]

There’s a feeling of futility when you run into a bug in proprietary software. You feel like there's nothing you can do about it so you work around it.

Its such a certain thing that the bug won't be fixed that you code for the existence of the bug even though you know that it will create comparability issues when YEARS LATER the bug is fixed by the next iteration of Windows.