Does Microsoft Need Bug Bounties? 100
Gunkerty Jeb writes "The threats and attacks may have changed in the last decade, but one thing has remained constant: software giant Microsoft doesn't pay for vulnerabilities. Never has. Never will. Even as rivals like Mozilla and Google have introduced bug bounty program, the Redmond giant has stuck doggedly with a position it articulated almost a decade ago, refusing to offer monetary rewards for information on software holes. But security experts say that position may have to change."
Re:They'd be gone in a week (Score:5, Insightful)
And a lot of bugs can't be fixed because old applications rely on them and people only buy Windows for backwards compatibility.
When I was writing Windows video drivers years ago we had to deliberately put bugs into our drivers to match the bugs in the stanadrd Windows drivers because various popular applications would fall over without them.
Guess what Microsoft? (Score:4, Insightful)
There is good money to be had selling discovered vulnerabilites. If you keep refusing to offer a bounty, they'll happily find someone else to pay for its discovery.
Re:A Fundamental Problem with This Suggestion! (Score:4, Insightful)
On a serious note, I don't even think Microsoft releasing the code at this point would be a good thing by any means.
When something starts out open source.. it's great. The obvious bugs get found while people are still playing with it. IE is in heavy production use ... if you just just open it up at this point in the game you'd probably get an enormous influx of security holes.
It's not just a practicality question (Score:5, Insightful)
It's also a philosophical question. Microsoft as an organization believes that the best possible way of producing software is to hire the smartest programmers you can get your hands on, give them a carefully honed specification designed by the best marketing and UI people you can get their hands on, directed by the best management you can get their hands on, and have them go to work. And if you're Bill Gates, this really does seem like the right way to do business.
The trouble is:
1. You can't get your hands on all the smart people in the world.
2. Even if you could, enough people hammering at software in every way imaginable has a way of uncovering problems that the smart guys hadn't even thought of. I'm talking about stuff like "I didn't know that they were going to try to use some sort of wildly different equal sign Unicode code point from Cyrillic instead of a UTF-8 '='". That makes the population of users a much better source of uncovering obscure bugs than the best QA team could ever manage.
3. Linus's Law suggests that when somebody uncovers these sorts of obscure bugs, there's somebody in the world who could figure it out pretty easily. Using my earlier example, chances are that in the whole of Russia, there's somebody who really is interested in Unicode in a way that no sane person ever would be, and because of that developer's familiarity with Unicode and Cyrillic is going to have a good idea how to fix the bug in the best way possible. It may not be perfect right off the bat, but it will be started in the correct way because the person in question has the exact specialized knowledge needed to solve the problem. So the population of programmers not working for Microsoft is going to outperform Microsoft's programmers by sheer numbers if nothing else.
4. ESR pointed out that the guy in Russia interested in Unicode is far more motivated to fix a hypothetical Cyrillic Unicode bug than a programmer working in the bowels of Microsoft's headquarters, because it's a bug that affects them directly in a field they care about.
In other words, Microsoft can't win these kinds of fights, but they can't give up the belief that they can win these kinds of fights. Hence they won't change, no matter how much they should.
Re:A Fundamental Problem with This Suggestion! (Score:0, Insightful)
You do realize that most bugs and vulnerabilities are not found by looking at source code, right? Oh right, you're just another one of those "many eyes on the source" morons that ignores the countless bugs and security vulnerabilities that have slipped past these mythical many eyes (Debian OpenSSL fiasco, UnrealIRCD trojan, malware infested packages signed with Red Hat's own private key, etc).
Re:A Fundamental Problem with This Suggestion! (Score:2, Insightful)
This reminds me of a funny quote from Undocumented Dos on getting access to the complete Dos source code. You couldn't but you could get a mix of source, binaries (.obj) and debugging information (symbol values) for the binaries if you paid a few thousand dollars for the OEM Adaptation Kit or something like that. The authors of Undocumented Dos opined "That's almost as good as source code - the only thing it is missing is the comments which are probably misleading anyway"
With that in mind here's how to get symbols for Microsoft binaries
http://support.microsoft.com/kb/311503 [microsoft.com]
It's worth pointing out that people don't debug non trivial things by staring at source code - they debug the binary using a debugger. If you have symbols, you can do that.
Re:#3) Penetrate and Patch (Score:4, Insightful)
Correction, no *known* bugs. There is no such thing as "bug free". Did you factor in the framework? The OS? I thought not.