Forgot your password?
typodupeerror
Security Bug The Almighty Buck The Internet Technology

Does Microsoft Need Bug Bounties? 100

Posted by Soulskill
from the how-deep-are-their-coffers dept.
Gunkerty Jeb writes "The threats and attacks may have changed in the last decade, but one thing has remained constant: software giant Microsoft doesn't pay for vulnerabilities. Never has. Never will. Even as rivals like Mozilla and Google have introduced bug bounty program, the Redmond giant has stuck doggedly with a position it articulated almost a decade ago, refusing to offer monetary rewards for information on software holes. But security experts say that position may have to change."
This discussion has been archived. No new comments can be posted.

Does Microsoft Need Bug Bounties?

Comments Filter:
  • Even as rivals like Mozilla and Google have introduced bug bounty program, the Redmond Washington giant has stuck doggedly with a position it articulated almost a decade ago, refusing to offer monetary rewards for information on software holes. But security experts say that position may have to change.

    Here is the source [mozilla.org] for Mozilla projects. Here is the source [chromium.org] for Google Chrome. And where do I find Internet Explorer's source code? Oh, right. Well, I'm sure if they truly wanted my help making their browser better and more secure, they'd be okay with letting me take a peek at the source code. How can they start a bug bounty program when they won't even trust the community with seeing their code?

    To put it another way: when you practice security through obscurity, offering monetary incentives for bug discovery is not a financially sound decision.

    Furthermore, there have been times when a bug submitted to Google was deemed not a bug and a discussion ensued why that was with the source code referenced. I believe Microsoft could just say, "Oh, sorry, we don't owe you anything for discovering that feature but since you can't see the source code you'll have to take our word for it."

    Microsoft doesn't need bug bounties. They need to achieve the prerequisite of code inspection before they can even consider putting their money where their mouth is [slashdot.org].

    • by bsDaemon (87307)

      I'd venture to guess that the majority of vulns are found using a debugger/disassembler such as Ole, IDA, or WinDBG rather than looking at the source code. The source can lead you only so far. The binary is what matters. Check out the ABO exercises some time, just as an example. Just saying.

      • by Daengbo (523424)

        What Microsoft really needs to do is to stop ignoring vuln reports for six months or a year, only to label the researcher a criminal when he/she finally goes public with it. "Responsible Disclosure" my ass!

    • by Anrego (830717) * on Friday May 06, 2011 @02:50PM (#36050614)

      On a serious note, I don't even think Microsoft releasing the code at this point would be a good thing by any means.

      When something starts out open source.. it's great. The obvious bugs get found while people are still playing with it. IE is in heavy production use ... if you just just open it up at this point in the game you'd probably get an enormous influx of security holes.

      • by ArsonSmith (13997)

        ...you'd probably get an enormous influx of security holes.

        Small nit-pick: You already have the security holes now for free, this would just help in pointing them out.

    • Why pay bug bounties when you have a large backlog of unfixed bugs that were reported to you for free?

      • That is a very good point, generally when a security vulnerability is found in windows, it's usually determined to be a bug carried over from windows XP that was reported 7 years ago.
      • by mysidia (191772) *

        Why pay bug bounties when you have a large backlog of unfixed bugs that were reported to you for free?

        So you can make the 'bounty submitters' sign an agreement not to reveal the vulnerabilities they discover, or the fact they discovered a vulnerability; for fixing at your leisure.

    • by PickyH3D (680158)

      Ah yes, the infamous, "everyone else is doing it argument."

      Suggesting that the only source of security with IE, the team that originated the idea of sandboxed browsers, which only Chrome matches, is a bad joke.

      Turning the talk of a bug bounty program into a discussion on open versus closed source is just as bad.

      People are not finding the major security vulnerabilities in these browsers by sifting through their source code; they are doing it by using fuzzing and similar debugging techniques designed to break

    • by mysidia (191772) *

      Oh, right. Well, I'm sure if they truly wanted my help making their browser better and more secure, they'd be okay with letting me take a peek at the source code

      It's called Microsoft Shared Source Initiative [microsoft.com]

      You just have to meet certain pre-requisites: you need to be an enterprise with 1500 licensed windows seats, sign a big fat NDA, and intend to use the source code for an eligible reason.

    • by torsmo (1301691)
      I have a deep suspicion this article ws posted to give a boost to the +4 Funny market.
  • Are you kidding? If Microsoft paid for every bug in Windows, they'd be bankrupt in a week!
    • by 0123456 (636235) on Friday May 06, 2011 @02:41PM (#36050504)

      And a lot of bugs can't be fixed because old applications rely on them and people only buy Windows for backwards compatibility.

      When I was writing Windows video drivers years ago we had to deliberately put bugs into our drivers to match the bugs in the stanadrd Windows drivers because various popular applications would fall over without them.

    • I can wish.

      I would love to see both M$ and Sony complete liquidated.

      • Why?

        Just do like I do and don't use or buy their stuff.

        I don't "hate" either company because what they do or make is pretty much irrelevant to me, but if other people like and pay for their products then that's their choice and good luck to them.

        They're just ***COMPANIES*** making stuff, not ***RELIGIOUS ORDERS***.

    • by plopez (54068)

      You're right. They're cash position has been slowly degrading and sales are not what they used to be. What is telling is that they got hit by this last depression harder than Apple. They are tied to businesses and home markets, both vulnerable to economic down turns. Apple sells many low priced things, music downloads and low end iPods are examples, that they have actually been growing. MS has been losing market share as well to Linux and Apple. The slow squeeze is on and there seems to be no equivalent of

      • Perhaps you need to review Microsofts financials before saying such silly things. 2009 was the only year in which sales went down, 2010 they increased by 7%, and so far expectations are that they will increase by 15% (approximately).

        Date / Sales / Growth
        June 30, 2011 $71.85B 15% (estimated)
        June 30, 2010 $62.48B 7%
        June 30, 2009 $58.44B -3%
        June 30, 2008 $60.42B 18%
        June 30, 2007 $51.12B 15%
        June 30, 2006 $44.28B 11%
        June 30, 2005 $39.79B 8%
        June 30, 2004

    • by Darinbob (1142669)

      Stop being so anti-Microsoft. It would take a month at least for them to go bankrupt this way.

    • by mysidia (191772) *

      Are you kidding? If Microsoft paid for every bug in Windows, they'd be bankrupt in a week!

      They could adopt a policy of paying $100 each to the top 500 people each week by number of confirmed vulnerabilities.

  • paying out the nose, but that wouldn't be a terrible thing if it helped their products.
  • As many bugs as they have, it could put a dent in their profits.
    • by blair1q (305137)

      A dent.

      But shortly they'd have very few bugs, and still have something to sell.

      And then it'd be worth the money. Maybe more. Likely more.

      And they'd soon be even richer.

      So bug bounties would be a wise investment.

  • I was trying to submit a Windows 7 bug report last week and found it damn near impossible. It's like they would rather pay you to NOT submit bugs.
    • by 0123456 (636235)

      It's like they would rather pay you to NOT submit bugs.

      That's a lot cheaper than fixing them.

  • They are already paying for their bugs anyway...or at least their consumers are.
  • by Jailbrekr (73837) <jailbrekr@digitaladdiction.net> on Friday May 06, 2011 @02:43PM (#36050542) Homepage

    There is good money to be had selling discovered vulnerabilites. If you keep refusing to offer a bounty, they'll happily find someone else to pay for its discovery.

  • In Soviet Microsoft, you PAY them to report bugs.
    No seriously, if you are a lowly person that found and confirmed a bug, you have to pay them to talk to them.
    So yeah... Fuck Microsoft.
  • POKE781,96:SYS58251 makes my screen do funky things.

    • POKE781,96:SYS58251 makes my screen do funky things.

      Never caught that one.
      Is it like MISSINGNo. ?

  • But Microsoft could definitely use more Fletcher Christians and fewer Captain Blighs.

  • Since Microsoft has a habit of ignoring the issues that get reported without a bounty, I don't see how adding one would improve the issue.

    One of the reasons for Full Disclosure is to pressure companies that think of security vulnerabilities as a PR problem instead of an urgent technical issue. If the first reaction you get from a company is "this only effects a small handful of users" then they are trying to patch through spin instead of fixing the problem. Microsoft is not the only one that does this, but

  • What if, instead of Microsoft sponsoring bounties for bugs in Microsoft code, we all just started a pool ourselves to fund a bounty for Microsoft coders?

    It doesn't cost that much, surely someone must know a guy who knows a guy?

    Clearly, since we can't fix the bugs ourselves, the most efficient solution is to make sure no more bugs can be introduced... Let's end the problem at it's source!

    • by couchslug (175151)

      Why do I want to help a company which I regard as an enemy?

      I don't want them to improve, I want them to fail, badly.

  • I think we should give Microsoft Time to work on Security venerabilities. As already by weeks the software updates have maxed hard drive space and performance is lowering. What is wrong is that the software originally is not made always secure of threats only accidents and patches that all.
  • People who find bugs in software say Microsoft should pay people who find bugs in their software. News at 11.
  • by dkleinsc (563838) on Friday May 06, 2011 @03:16PM (#36050914) Homepage

    It's also a philosophical question. Microsoft as an organization believes that the best possible way of producing software is to hire the smartest programmers you can get your hands on, give them a carefully honed specification designed by the best marketing and UI people you can get their hands on, directed by the best management you can get their hands on, and have them go to work. And if you're Bill Gates, this really does seem like the right way to do business.

    The trouble is:
    1. You can't get your hands on all the smart people in the world.
    2. Even if you could, enough people hammering at software in every way imaginable has a way of uncovering problems that the smart guys hadn't even thought of. I'm talking about stuff like "I didn't know that they were going to try to use some sort of wildly different equal sign Unicode code point from Cyrillic instead of a UTF-8 '='". That makes the population of users a much better source of uncovering obscure bugs than the best QA team could ever manage.
    3. Linus's Law suggests that when somebody uncovers these sorts of obscure bugs, there's somebody in the world who could figure it out pretty easily. Using my earlier example, chances are that in the whole of Russia, there's somebody who really is interested in Unicode in a way that no sane person ever would be, and because of that developer's familiarity with Unicode and Cyrillic is going to have a good idea how to fix the bug in the best way possible. It may not be perfect right off the bat, but it will be started in the correct way because the person in question has the exact specialized knowledge needed to solve the problem. So the population of programmers not working for Microsoft is going to outperform Microsoft's programmers by sheer numbers if nothing else.
    4. ESR pointed out that the guy in Russia interested in Unicode is far more motivated to fix a hypothetical Cyrillic Unicode bug than a programmer working in the bowels of Microsoft's headquarters, because it's a bug that affects them directly in a field they care about.

    In other words, Microsoft can't win these kinds of fights, but they can't give up the belief that they can win these kinds of fights. Hence they won't change, no matter how much they should.

    • by ljw1004 (764174)

      What you describe hasn't been my experience. I see TWO orders of magnitude more bugs reported by Microsoft's QA than by external parties (in the field of compiler development). I guess end-users just aren't interested in whether an async lambda inside an anonymous type declaration triggers invalid codegen, and wouldn't even discover the issue until the language feature has been in widespread use for five years, but internal QA will discover the bug before the feature ships. On your question of unicode bugs,

      • by swillden (191260)

        What you describe hasn't been my experience. I see TWO orders of magnitude more bugs reported by Microsoft's QA than by external parties

        So you're saying that more bugs are reported by people who get paid to report them than by people who don't. Obviously that has to make us wonder what would happen if non-employees could get paid for reporting bugs.

        • by ljw1004 (764174)

          Good point. If we do accept this premise that paying people is the best way to get bugs filed, then it becomes an economic and moral question:

          * Does the "bounty" system find better bugs per dollar spent once you factor in the wasted costs of administering the bounty system, or the current "salary" system? In other words, has the free market pegged the salary level of Q&A staff incorrectly?

          * If the "bounty" system is indeed more cost effective, is that because we're exploiting the bounty-hunters by getti

          • by swillden (191260)

            There is a questionable assumption implicit in your first question, which is that a small number of QA people working full-time is equivalent to a large number of people working part time. I think there's a strong argument to be made that when searching for security bugs it's important to use a large variety of approaches. One grad student or independent researcher may well come up with an angle that none of the QA team members would ever have come up with -- not because he's necessarily smarter, but beca

      • What you describe hasn't been my experience. I see TWO orders of magnitude more bugs reported by Microsoft's QA than by external parties (in the field of compiler development). I guess end-users just aren't interested in _____

        Halt Give me the source code. Then, and only then, can you make such a comparison... I do care, but I just thought it was a bug somewhere else in my project that I hadn't ironed out... With open source compilers (such as LLVM and GCC/G++), I can check the source and SEE if my hunch is correct or not -- it is rarely, but sometimes is a compiler bug -- Screw your half-assed attempt at comparing black-box to white-box bug analysis.

        Additionally, Quit you tard! GTFO our compiler! YOU are the F*Ing proble

    • by Kozz (7764)

      So what you're saying is... "In Soviet Russia, bugs find you!" ?

    • by camperslo (704715)

      Most of the bugs are not nearly so obscure as what you're suggesting, although some are discovered by people quite far away. A video with Bruce Dang of MS speaking at the 27th Chaos Communication Congress is revealing. He spoke on behind the scenes thinking and fairly early/rapid analysis done in looking at Stuxnet and seeing what/how it exploited in Windows in multiple ways with 100% reliability.. (The talk does not cover the far more serious aspects of Stuxnet, the PLC- targeting payload or the implica

  • I can see the headlines now "M$ pays $4 million in bug bounties" compared to FireFox and Chrome. This would be every marketers nightmare.
  • Kurt Werle says:
    "Microsoft may have to start paying users in order to stay relevant."

    Now can we have a stupid article that quotes me?

    Headline: "Should Microsoft pay its users?"

    Because saying something stupid seems to be the bar for getting mention, here...

  • by Salvo (8037) on Friday May 06, 2011 @04:57PM (#36051750)

    The real problem with Microsoft's Windows is support for Legacy Hardware and Software.

    Microsoft Windows wan't designed to be secure in the first place. Even Windows NT-based OS's reintroduced legacy support for backward compatibility; a strategic blunder to pander the ultra-conservative developer base.

    The Application Developer Base is refusing to adapt to new, secure API's like .NET, especially in the corporate sector, and is sticking to legacy API's like Win64, Win32 and even Win16.
    Plugin Developers still program insecure ActiveX and NS-Plugins, as well as Toolbars.

    Hardware Manufacturers are refusing to write drivers that adhere to the new security models.

    The only way MS can make Windows secure is to do what it should have done with the introduction of WIndows NT and removed Legacy Support. It worked for Apple with Mac OS X and the "Classic" and "Rosetta" virtual machines. Microsoft are trying to do it with the Windows Ultimate "XP Mode", but failing.

    They need to make the commitment and tell developers "If you don't do it our way, it won't work in Windows 8, or Windows 9, or whatever." They need to tell their Corporate customers, "If you're still running XP because of some stupid Legacy software, we're going to cut you loose next year. We won't be supporting you."
    They don't think they can do this incase their customer base jumps ship to Mac or Linux. Even though it is a risk, they can because the majority of their user-base want Cheap Hardware and Easy-to-use Software, which rules out both Mac and LInux. They are locked into whatever Microsoft dictates.

    • by bk2204 (310841)

      They need to make the commitment and tell developers "If you don't do it our way, it won't work in Windows 8, or Windows 9, or whatever."

      They already did. There were programs that broke really badly in Vista because developers were continuing to use interfaces that were marked as deprecated and going away. Microsoft had for years refused to certify these same programs as "Designed for XP" (or whatever it was called) because they used the obsolete interfaces.

      It turned out really badly for them. People blamed Vista for the bugs. I had to explain the situation to lots of users and informed them that it was actually the software companies' fault

    • The Application Developer Base has billions of lines of working code that they don't have the budget to rewrite in .NET. I look forward to the day when Microsoft try to dictate to their corporate customers and their corporate customers, just like they did with Vista, will say 'screw you we're not buying something that doesn't run our software'. XP Mode exists because, out in the real world, software can't just be rewritten on a whim or because Microsoft say it should be, and in fact should be on all versio

  • by snookiex (1814614)
    It's more profitable to exploit a MS product vulnerability than filing a bug report and getting a few bucks.
  • Divq zr nakvif fiz?
    Enssvavreg vfg qre Ureetbgg nore obfunsg vfg re avpug. -- Nyoreg Rvafgrva
    Ertanag cbchyv.
    frzcre ra rkperghf
    FRZCRE HOV FHO HOV!!!!

    I believe that last one says, something about crying out for "Help" "Help", or calling out for "Security!" -- What language is this -- seems vaguely familiar... almost like when Dance Dance Revolution moves scroll up the screen, and I think: Holly Hell -- These Brainfuck coders [wikipedia.org] have some messed up concepts of fun!

  • Find a bug in Firefox or Chrome and you're helping make a product better that will make future products better.
    Find a bug in IE and there is a likelihood that few people will ever use that code to make future products better.

    The people who find many bugs are the people looking to find bugs and make products better. And they report those bugs along with reproducible steps.
    The people who stumble upon bugs are trying to get other work done - they have no time or inclination to halt their work, figure out what

  • I don't care about bounties, how about a public bugtracker?

One good suit is worth a thousand resumes.

Working...