Microsoft Says No To Paying Bug Bounties 148
Trailrunner7 writes "In the wake of both Mozilla and Google significantly increasing their bug bounties to the $3,000
range, there have been persistent rumors in the security community that Microsoft soon would follow suit and start paying bounties as well. However, a company official said on Thursday that Microsoft was not interested in paying bounties. 'We value the researcher ecosystem, and show that in a variety of ways, but we don't think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren't always financial. It is well-known that we acknowledge researcher's contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update,' Microsoft's Jerry Bryant said."
Or it could be because they would be bankrupt ... (Score:5, Funny)
Re: (Score:2)
Re: (Score:3, Funny)
Microsoft: As good at security as Linux users are at doing sex with girls
Re:Or it could be because they would be bankrupt . (Score:5, Funny)
as well witnessed by the linux user who refers to it as "doing sex"
Re: (Score:3, Funny)
Oh, we don't think it was immaculate...
Re: (Score:1)
Re: (Score:2)
Just because you got to the destination doesn't mean you're a good driver*.
*this was originally a sandwich analogy, but then I remembered my audience.
Re: (Score:1)
I have 7 going on 8 children. My wife uses Linux too.
- Dan.
Re: (Score:2)
I wasn't debating whether Linux users have sex, I was pointing out that the original comment was about being good at "doing sex", not about the possibility of having sex. Just because someone is having sex doesn't mean they're good at it. There are plenty of lazy fat people out there.
Of course it was rather poorly worded so the intention could have been either way.
Re: (Score:2)
You're over analizing the dynamics of sex
It's not difficult at all
Tab A goes into Slot B
Even a nerd can do it
Re: (Score:2)
I'm both an IT geek and have turned into a bit of a fitness buff in the last couple of years.. heh heh :P This article confirms my limited experience.
Re: (Score:2)
This article confirms my limited experience.
Of course, gay men also score higher in all these categories.
I think this probably implies a wide variety of things, and from my *many* experiences, I think they're probably all partially true.
Re: (Score:3, Funny)
Well, my brother is gay. He's a geek, but definitely not into fitness. I have no idea about his attitudes in the bedroom however and I'd rather not find out :p
Re: (Score:2)
Well, since I was brought up as a pretty fundamental Christian (though I am no longer religious), many of my friends will actually never have sex until after they're married. And then there are some people who value the relationship over the sex. Of course I'm not saying a lot of people are bad at sex, and statistically most people are obviously likely to be average - and it is of course just a natural thing so it's hard to do "wrong" as long as you're not simply getting tired or a clueless n00b.
Feels kinda
Re: (Score:2, Funny)
Re: (Score:2)
Re: (Score:2, Insightful)
Or it could be because they would be bankrupt within the week.
But why? It's not like there's likely to be millions and millions of bugs that Microsoft doesn't already know about. Bounties are only awarded for previously unreported bugs, otherwise there would be no limit to how much anyone could collect from the company. It is doubtful that Microsoft's decision was primarily because of what it would actually cost them in payouts.
Re: (Score:2)
The joke was that microsoft's software is so bug-ridden that people will find so many unreported bugs that microsoft will go bankrupt.
Re: (Score:2)
Wait, it was a joke? I thought it rather insightful!
Re:Or it could be because they would be bankrupt . (Score:5, Insightful)
It is doubtful that Microsoft's decision was primarily because of what it would actually cost them in payouts.
I agree... we can make fun of how much money this would cost Microsoft, but they can afford it. It is obvious they don't want to for. Some possible reasons:
1) Announcing a paying bug bounty, like Knuth had with TeX, implies the code is so high quality they are looking for the last few issues. But they have a very large attack surface area, and their code is constantly changing.
2) They've spent millions educating their developers and testers over secure coding and testing practices, and to be fair have made good progress. Announcing a paying bug bounty probably irriates the bean counters who are asking, aren't we already paying for people to work on security issues?
3) Cultural issue? Mozilla and Google are willing to do it, and they have extensive experience in free/open source software. Microsoft, not so much.
It is interesting they don't want to do it though.
Re: (Score:1)
Re:Or it could be because they would be bankrupt . (Score:5, Insightful)
It's because to Microsoft, and undiscovered bug is a nonexistant bug. Their "security" model has always been "security through obscurity". Their philosophy is "why fix a bug if you don't have to?"
And they modded you "funny" but you're absolutely right, sorta, even if a little exagerated; they have more far more dollars than sense. Well, maybe not sense; ethics.
Re: (Score:3, Insightful)
It's because to Microsoft, and undiscovered bug is a nonexistant bug. Their "security" model has always been "security through obscurity". Their philosophy is "why fix a bug if you don't have to?"
I think it's simpler than that. They're thinking "why pay for a bug report when you don't have to?" They said it themselves, "we don't think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren't always financial." Is there any lack of people willing to expose Windows bugs already?
Re: (Score:2, Troll)
It's because to Microsoft, and undiscovered bug is a nonexistant bug. Their "security" model has always been "security through obscurity". Their philosophy is "why fix a bug if you don't have to?"
Yet they proactively fix bugs and distribute those fixes at no cost. Strange.
Re: (Score:2)
Fixing product defects is what happens when you ship defective products.
So you think every software vendor ships defective products ?
In the auto or any other industry it's a "recall". You ship a defective product, you have to fix it. You sound like they're doing it out of the goodness of their hearts. Do you work for MS, own stock, or what?
I never even suggested they're doing it for any reason other than good business. The same reason every other vendor fixes their bugs.
Re: (Score:2)
So you think every software vendor ships defective products ?
Every manufacturer of every product made occasionally ships a defectve product. Nobody's perfect, but some vendors are worse than others.
Re:Or it could be because they would be bankrupt . (Score:5, Insightful)
That was the first thing that came to my mind. Though on consideration it would take quite a lot to bankrupt MS.
But the unfortunate thing here is there's already a thriving market for zero-day MS bugs. These get bought and sold already on a daily basis on the underground malware networks. You've already got groups of people that make a living out of finding bugs in your software and selling them on that black market. Instead of letting them sell them to people that are basically your competitors, (or at least your PR antichrists) it makes sense to either hire them or become their best customer. either of which them will either kill or severely depress the market for exploits. Once MS becomes a bidder for the exploits, with its deep pockets, that alone will drive a lot of the malware authors out of business because they will no longer be able to afford to bid on a new zero-day to keep their malware effective as MS gets things patched at a highly accelerated rate.
What they have here is an opportunity, and I can't believe they're going to let it slide. Makes me wonder if someone's ego/pride is driving their decision here, rather than good business sense? Even in the short term I don't see any way that this could be anything but a monetary win. Unless they think (again, in their pride and obstinence?) that they're so big now that they don't need to be bothered with improving their image or reputation anymore. Or maybe they've already considered this and it is unfortunately in their best interest to let their customers twist in the wind rather than spend a few bucks.
Re: (Score:1, Insightful)
Because they would have to have a system where bugs are identified and tracked.
Telling researcher X that that hole was KNOWN for 2.5 years but not fixed would cause plenty of embarrassment and negative publicity.
For Microsoft, Honest is not the best policy - they are more of a let the dog sleep company, good enough type company.
Translation: (Score:5, Funny)
"we don't think paying a per-vuln bounty is the best way."
-- er
"We can't afford the hit to our bottom line if we were to start paying people to find the bugs in our software."
Re: (Score:2, Interesting)
Re:Translation: (Score:4, Insightful)
If there weren't lots of bugs to be found, they wouldn't need so many test engineers. Are you trying to claim that all those test engineers find all the vulnerabilities in MS products before release? That would be the truly comical claim.
Re: (Score:2, Insightful)
Are you trying to claim that all those test engineers find all the vulnerabilities in MS products before release?
I never even came close to making such a claim. Nice try though.
If there weren't lots of bugs to be found, they wouldn't need so many test engineers.
I'm not sure what point you're trying to make. Anyone with even rudimentary exposure to software development or testing theory understands that having tests is not a sign that a prod
Re:Translation: (Score:4, Insightful)
And, since your argument now seems to be that money is not what drives people to find vulnerabilities (which is what MS was arguing, according to the summary, and what the OP was ridiculing), what do you propose drives the "bad guys" to find them?
Re: (Score:2)
You seem to be equating "bugs" with "vulnerabilities." The latter is a subset of the former
A saying popular with the OpenBSD team seems appropriate here:
The difference between a bug and a vulnerability is the intelligence of the attacker.
A lot of non-exploitable bugs have, in the past, turned out to be vulnerabilities when someone else looked at how to attack them.
Re: (Score:3, Informative)
As they say, "the proof's in the pudding."
That's how it has been corrupted over time. The actual quote [worldwidewords.org] is, "The proof of the pudding is in the eating."
From that article:
"The full proverb is indeed the proof of the pudding is in the eating and proof has the sense of “test” (as it also has, or used to have, in phrases such as proving-ground and printer’s proof). The proverb literally says that you won’t know whether food has been cooked properly until you try it. Or, putting it figurat
Re: (Score:2)
Re: (Score:3, Insightful)
Re: (Score:2, Insightful)
Paying a bounty is paying only for results.
Only if you think reviewing the thousands of "reports" submitted to claim a bounty can be done for free. You could easily spend millions (e.g., ~10 employees) going through the list and not find a single actionable bug. You think every report is going to be a genuine, original vulnerability? Get real.
Do you think that offering a bounty provides a disincentive, and would result in fewer reports?
There is substantial evidence from the field of psychology that paying for something displaces the original incentive to do it for free. If Google and Mozilla ever ended their bounty program, their rate of repo
Re: (Score:2)
That's seriously fucked up. The last company I worked at had about 1/3 as many QA testers as developers, and that was still more than the industry norm.
If your product has more testers than developers you are dealing with a seriously flawed product and/or development process.
Re: (Score:3, Insightful)
Or just a really big product?
Re: (Score:1, Troll)
Re: (Score:3, Insightful)
What happened was M$ went really performance based in their bonus schemes, the more code you produced the more you got paid and the quicker you produced that code the sooner you got your money. Catch with that, performance often does not equal quality and unwittingly they penalised coders who produced well crafted, carefully thought out, compact code (the code you actually want). They did this for long enough to establish bad bloated coding styles as the norm, hence the problem.
Why M$ wont pay for bug bo
Re: (Score:2)
You give real engineers a bad name, then. It's been said (I think it's someone's /. sig) that if bridges were engineered like software, one would collapse every day.
Sorry, I think MS won't open their source because they're ashamed of it.
Re: (Score:2)
Here's another - If houses were built the way software is built, the first termite would've destroyed civilization
Re: (Score:3)
Re: (Score:2, Insightful)
There's worse...
"We can't afford to get into a bidding war with malware authors."
Re: (Score:2)
Alternatively:
"We spend a lot of money hidding our bugs from the community, why should we spend more money on people that discovers them?"
ROI (Score:5, Funny)
"We don't care, we don't have to...we're the operating system company."
Re: (Score:3, Informative)
Attribution: Lily Tomlin's "Ernestine the telephone operator", referring to the then monopoly AT&T (We don't care, we don't have to...we're the phone company), for the younger slashdotters who weren't around when AT&T owned every telephone in America (back then you had to rent your phone).
Committed to their current strategy (Score:3, Funny)
Microsoft sucks! I'll prove it, look at this random arbitrary glitch in the way they handle SMTP requests.
Thank you very much, fixed. Next!
Crazy like a fox (news anchor).
Re: (Score:2)
Up untill that sentence all you were saying made a lot of sense. But that simply blows everything up.
Re: (Score:2)
"Thank you very much, fixed in the next release. It's going to be a great upgrade that pumps up our quarterly earnings to new heights. Next! "
The Emperor's New Code (Score:2)
MS knows its coding nothing at all but marketing has them coding in the finest suit of software.
With is masterstroke, no cry of "But they are developing anything at all!" will never gain traction.
They are safe to wonder around the walled gardens.
Interesting... (Score:5, Insightful)
On the other hand, handing out hard cash, in addition to credit, can certainly be motivational(yes, the monetary rewards on the criminal side will always be better; but I'd wager that there are a lot of people who would take 'steady job with some research firm, at dev/analyst pay levels+occasional fun money bounties+credit, all legal' over 'substantial monetary rewards, clandestine work for unsavory and occasionally downright problematic characters, nontrivial legal exposure'), and one might expect that MS, with their formidable war chest and serious security issues(both actual and perception-based) would find a way of converting fairly modest amounts of money into additional security. Particularly since(with the exception of Google's pet projects, and maybe a handful of other high-profile OSS projects) they could easily afford to bid better for vulnerability reports that team FOSS could, which would seem like a natural marketing bullet point...
Re:Interesting... (Score:5, Insightful)
How about we compare MS to Apple - and neither pays for bug/vulnerability finds.
Re: (Score:2)
Based on the ass
Re: (Score:2)
Both of them are headed by guys with the first name Steve and both of those guys are just about equally hated for their prideful arrogance and inability to admit to mistakes. Hmm, I think you might be onto something here...
What a load of crap (Score:2)
It is well-known that we acknowledge researcher's contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update
Yea, because we all know that people really value having their name in a newsletter over having their name in a newsletter AND a few thousand dollars....
the motivations aren't always financial? (Score:1)
Apart from the people who like to research security vulnerabilities for the fun of it, what other motivation is there? If you run a security company and finding vulns is good PR, or you're running botnets and making money from spamming and phising, or you're targeting companies for data theft, it seems like the motivations are almost always financial.
At least if you paid a bounty, you might convince a couple of the part time security researchers to make a quick buck or two - a little incentive might pay so
Re: (Score:2)
PR is financial in the sense that it is basically a flavor of advertising; but it is also the case that (some people) really do derive happiness from being seen as rockstars/badasses. As in the music/entertainment business, being seen as a rockstar is also a sound financial move; but it it something that certain sorts of people really do value for its own sake.
(Most) people respond differently
in after 3000 "HURR it would bankrupt them" jokes (Score:3, Insightful)
They're right. Banks don't pay people who find ways to get into their vaults.
You're going to get better results by employing researchers with an interest in computer security. Unfortunately, these are hard to find, and most people claiming to be in "IT security" are actually just PR handwavers, egotists and people who know how to install Snort and write a few lines of Perl (I'm tempted to identify a few fairly well-known people by name, but you never start a fight with an idiot with a hammer and a conviction on appropriateness to use it...).
Fortunately, MS has the resources to find, pay and provide the right environment for such people. Hell, it has a research group which dwarfs Google in terms of variety of output and leaves Apple holding the baton wrongly at the starting line. I'm not sure it interfaces these people optimally with its mainstream operations (the whole "executive project sponsorship" thing is very political), but it has a great basis.
Re: (Score:2)
I agree, but my first thought was that Microsoft produces more software than Google and Mozilla combined, which creates a much larger footprint for vulnerability. This, combined with the fact that some of their software is supported for up to 13 years after it's released (Windows XP), means that it very well would cost them a fortune. And by the time they stop supporting their software, attacks which never existed in anyone's wildest wet dreams have appeared, and the 12-year-old software wasn't designed a
Re: (Score:2)
Banks do people that find ways to get in their vault legally. They hire people to penetrate (har, har) their security in any way possible, they work with law enforcement and sometimes even criminals to secure both their physical as well as their virtual systems.
What Microsoft needs is first of all a restructuring of the organization - it's hemorrhaging cash, talent and image. Then they need to rewrite Windows and have a transition period where the old is virtualized much like Apple did with Mac OS X a decad
Re: (Score:2)
Banks do people that find ways to get in their vault legally. They hire people to penetrate (har, har) their security in any way possible ...
The first sentence was a rather nice bit of unintentional humor.
But your point is well-taken: the whole concept of penetration testing was originally taken from the military, which also hires teams to see if they can break their security and leave notes like "code books stolen" if they succeed.
Re: (Score:2)
They hire people to penetrate
Indeed. They pay people to do it, not because they've already done it. ;-)
Ballmer is one of the last dinosaurs in that organization that thinks a VMS-based operating system is still up-to-date
The NT kernel as a bastard stepchild of VMS is really not the cause of any unique-to-MS problems, and MS are experimenting with a major rewrite with Midori if that's really what you're looking for.
NT was the step up from DOS-3.1-95-98-ME becoming mainstream just a little before OS X superceded OS 9 - OS X itself being mostly NeXT work, in turn Mach + BSD + ObjC - in turn standard microkernel theory + Unix + Smalltalk. It's all a nice
Re: (Score:2)
Ballmer is one of the last dinosaurs in that organization that thinks a VMS-based operating system is still up-to-date, just about anyone else in the industry has gone through major rewrites of their systems.
Thank you, this sentence made me laugh so hard. It's wrong on so many levels I don't even know where to start with correcting you.
Re: (Score:2)
Microsoft - employs some of the brightest and best programmers and designers in the world
Has an entire research arm dedicated to improving their products
Has teams of testers to test and find bugs ... ...and still produces bug ridden, vulnerable software, that is outdesigned by the competition
Re: (Score:2)
Uh, yes, they do.
Well, maybe not the banks themselves, especially not smaller banks, or really any, these days (too little money actually on hand to be worth it), but it's called "penetration testing". I'm sure the vault manufacturers (or whatever they're called, I suspect most vaults are custom-made) are continually thinking of ways that they could be broken into. (Or at least they should be. Wouldn't be a very good company to s
Re: (Score:2)
Perhaps I was too ambiguous with my language. I felt otherwise, but sometimes I guess I overdo it on the nuance.
I said: Banks don't pay people who find ways... (cheekily nonrestrictive "who")
I did not say: Banks don't pay people to find ways...
IOW, banks don't pay people just because they happen to find ways. In general, banks don't pay money to random people on the street, and the person on the street who makes a hobby of finding ways is no exception. They instead pay selected people specifically to go abo
Re: (Score:2)
Re: (Score:2)
Code reviews are expensive when you have removed a market segment and face zero competition in the short or long term.
The cash and skill sets are needed for the next area of threat or opportunity.
They also need to make sure the next version does not face a near perfect last version.
Microsoft has no need to never listen to bugs/needs/questions/comments on past is
Re: (Score:2)
Microsoft will always sit in the highest thrown
Dew knot truss yore spill chucker.
Re: (Score:2)
Re: (Score:2)
No, I mean spellchecker. Yes, it was a homophone issue. Your spell checker isn't going to catch homophone errors, and people blindly rely on them without proofreading what they write. I ain't got no problem with bad grammar, but I do have a problem with semiliteracy on a nerd site.
Now go away, son, and let the grownups continue the discussion.
Re: (Score:2)
Re: (Score:2)
Sounds like you were going to loose enough sleep over it
LOL, what a fucking illiterate moron. WTF are you doing here, boy?
Bad Microsoft (Score:2)
This is bad logic, ivory tower thinking even, they are assuming the entire ecosystem will have their chosen set of corp centric values. You would think they would have learned otherwise by now!
Vulnerabilities will be discovered, sometimes by multiple independent parties. These vulnerabilities are either going to be sold, exploited selectively (corp esp against a chosen target), exploited publicly, reserved for future use or given to the vendor.
The responsible thing is to try to move as many to the latter as
It was all well and good until... (Score:5, Funny)
... they were reminded that the user is the biggest security threat to any system. Upon considering their market share they realized how potentially disastrous this would be once anyone with a phone book figured it out.
Of course MS can't afford it... (Score:1, Funny)
...they've spent all their surplus cash paying people who forward Bill Gate's email message to 25 other people.
It's the long delays that annoy people (Score:2)
We all know that security researchers are drama queens. As soon as they find a bug, they want to get a bull-horn out and start crowing about it.
Microsoft on the other hand says that if you don't keep it secret for months or even years then you are a bad person and will try to get you fired.
What they should do is just pay a $100 per day for keeping it secret until the bug is fixed. That way even if you don't get bragging rights, you get a pay check.
Signing a non-disclosure agreement like this is pretty no
When did Microsoft go Communist?! (Score:2)
So Microsoft is saying that people should voluntary and collectively work on fixing and bettering software for free, without any compensation? Mmmm... [theregister.co.uk]
Re: (Score:2)
First of all, I'm not going to read The Register.
Secondly, no, Microsoft is not saying that. You're being purposefully dense to make some kind of stupid Communist reference.
People *already* find bugs in Microsoft products without any compensation. Microsoft never asked these people to work on "fixing and bettering" ("bettering?") software, they took it upon themselves.
Basically, Microsoft's saying: "if you want to help us out without us asking, then go ahead. But don't expect us to pay you for it." Which ma
Re: (Score:2)
"You're being purposefully dense..."
Actually I was making a joke which apparently went way over your head. Or underneath. I don't really know what sort of shoes you're wearing.
"And look at it realistically..."
Yeah, let's analyze a joke realistically. That's a great idea. All jokes should stand up to rigorous a priori and a posteriori scrutiny.
I wouldn't pay either (Score:2)
I think the money is better spent on hiring/training more developers/testers than throwing it away on some wild west style campaign to weed bugs. Besides they would get swamped with thousands of duplicate or non existent bugs because SOMEONE WAS DOING IT WRONG, not to mention the "i found it first" and other related lawsuits. Waste of time and money for everyone and you and I the consumers won't benefit one bit. Finding a bug != fixing a bug.
Re: (Score:3, Interesting)
I think the money is better spent on hiring/training more developers/testers than throwing it away on some wild west style campaign to weed bugs.
This is a false dichotomy. They have lots of other options, for example they could throw the money down the hole that is Microsoft's entertainment division, which has so far lost them billions of dollars.
"We value the researcher ecosystem... (Score:2)
Bounty's are unnecessary (Score:2)
Bounties sucks (Score:2)
The reality is that $3000 for a really good exploitable bug is cheap.
And most companies paying bounties won't pay you for a DoS you found in e.g. Chrome in 2H spare time, and only if you're lucky for things like data leak.
They're only going to pay for sure if you deliver a full blown with proof of concept and completely documented exploit that let you take over a system.
But here's the trick! Not only those take a long while to do, even for the skilled engineer (heck writing docs and stuff sucks), but $3000
Re: (Score:2)
To be slightly more on topic I'll add to that that Microsoft is the number ONE target and thus get a lot of bugs discovered for free. Bounties might have a small effect (partly due to what I explained before, since eventually a friend will want the $3000 right?), but certainly the small effect is more important for software companies with a lesser market share.
Take Apple for example, they'll never pay bounties (heck, those guys don't even put credits if you're not a big guy, they don't *even* mention the vu
Re: (Score:1, Insightful)
Someone please mod this guy up to the top of the page.
Good exploits are being sold on the black market for $10,000 and more without the NDA shit. Unless you are very moral there is no incentive to report your discoveries to vendors at all!
How the conversation probably went... (Score:1)
Microsoft Representative: No.
Researcher: $2000?
Microsoft Representative: No.
Researcher: Could I at least meet Bill Gates?
Microsoft Representative: *sigh*No, anything else?
Researcher: Uhm... lapdance?
Microsoft Representative: Ok fine, we will pay you one lapdance or hentai dvd per bug. That is my only and final offer.
Researcher: DEAL!
Just go to 3rd party (Score:1)
This doesn't help too much when you find a non-exploitable bug though, or are we only talking about exploitable ones?
This is what microsoft believes should be free (Score:3, Insightful)
"the motivations aren't always financial" (Score:2)
"the motivations aren't always financial" is a phrase I've heard before -- mostly from HR departments. It means someone who doesn't care about the product, but rather about making his/her departmental bottom like is running things.
Money never hurts, and moves mountains. Yes, some people do it for free. More people will do it if there's cash. This means Microsoft either wants to:
1. save money (unlikely, but possible at a departmental level)
2. not find bugs (likely -- they ta
Does no bounties mean no compensation? (Score:2)
It's always struck me that vendors ought to be paying researchers for the time they spend working with the vendor to help get a bug fixed, rather than a flat rate for finding a bug. i don't think vendors have any obligation to pay people who find security vulnerabilities for the time they spent finding the bug, but if they want a research to spend time documenting and explaining the bug so they can fix it then they need to compensate that researcher. If there is a flat bounty rate, the researcher can decide
TED Talk (Score:2)
Compromise (Score:2)
What did you expect... (Score:2)
...from the company that used to charge YOU a huge bill for the "privilege" of sending bug reports?
Re:Not enough money in the world (Score:4, Insightful)
Yeah, that's a description of a competent organization. Perhaps if things are that complicated they should be removing things like WiMP and IE which have no place in the base system to focus on making things be actually secure.
Re:not surprising (Score:4, Funny)
Finally! Someone used the word "loose" properly. Even if the meaning of the sentence is different than what you intended (I have no way of knowing), it's true nevertheless. They would have indeed loosed big money.