Does Microsoft Need Bug Bounties? 100
Gunkerty Jeb writes "The threats and attacks may have changed in the last decade, but one thing has remained constant: software giant Microsoft doesn't pay for vulnerabilities. Never has. Never will. Even as rivals like Mozilla and Google have introduced bug bounty program, the Redmond giant has stuck doggedly with a position it articulated almost a decade ago, refusing to offer monetary rewards for information on software holes. But security experts say that position may have to change."
A Fundamental Problem with This Suggestion! (Score:5, Interesting)
Even as rivals like Mozilla and Google have introduced bug bounty program, the Redmond Washington giant has stuck doggedly with a position it articulated almost a decade ago, refusing to offer monetary rewards for information on software holes. But security experts say that position may have to change.
Here is the source [mozilla.org] for Mozilla projects. Here is the source [chromium.org] for Google Chrome. And where do I find Internet Explorer's source code? Oh, right. Well, I'm sure if they truly wanted my help making their browser better and more secure, they'd be okay with letting me take a peek at the source code. How can they start a bug bounty program when they won't even trust the community with seeing their code?
To put it another way: when you practice security through obscurity, offering monetary incentives for bug discovery is not a financially sound decision.
Furthermore, there have been times when a bug submitted to Google was deemed not a bug and a discussion ensued why that was with the source code referenced. I believe Microsoft could just say, "Oh, sorry, we don't owe you anything for discovering that feature but since you can't see the source code you'll have to take our word for it."
Microsoft doesn't need bug bounties. They need to achieve the prerequisite of code inspection before they can even consider putting their money where their mouth is [slashdot.org].
Re: (Score:3)
I'd venture to guess that the majority of vulns are found using a debugger/disassembler such as Ole, IDA, or WinDBG rather than looking at the source code. The source can lead you only so far. The binary is what matters. Check out the ABO exercises some time, just as an example. Just saying.
Re: (Score:2, Insightful)
This reminds me of a funny quote from Undocumented Dos on getting access to the complete Dos source code. You couldn't but you could get a mix of source, binaries (.obj) and debugging information (symbol values) for the binaries if you paid a few thousand dollars for the OEM Adaptation Kit or something like that. The authors of Undocumented Dos opined "That's almost as good as source code - the only thing it is missing is the comments which are probably misleading anyway"
With that in mind here's how to g
Re: (Score:3)
If you plan on fixing bugs, the source is great. If you plan on exploiting bugs, it doesn't really matter. I may be in a security research department at well-know network security company based on a popular open source tool and not just someone talking completely out of my ass. Again, just saying.
Re: (Score:1)
What Microsoft really needs to do is to stop ignoring vuln reports for six months or a year, only to label the researcher a criminal when he/she finally goes public with it. "Responsible Disclosure" my ass!
Re:A Fundamental Problem with This Suggestion! (Score:4, Insightful)
On a serious note, I don't even think Microsoft releasing the code at this point would be a good thing by any means.
When something starts out open source.. it's great. The obvious bugs get found while people are still playing with it. IE is in heavy production use ... if you just just open it up at this point in the game you'd probably get an enormous influx of security holes.
Re: (Score:3)
Small nit-pick: You already have the security holes now for free, this would just help in pointing them out.
Why bother? (Score:3)
Why pay bug bounties when you have a large backlog of unfixed bugs that were reported to you for free?
Re: (Score:2)
Re: (Score:1)
Why pay bug bounties when you have a large backlog of unfixed bugs that were reported to you for free?
So you can make the 'bounty submitters' sign an agreement not to reveal the vulnerabilities they discover, or the fact they discovered a vulnerability; for fixing at your leisure.
Re: (Score:3)
Ah yes, the infamous, "everyone else is doing it argument."
Suggesting that the only source of security with IE, the team that originated the idea of sandboxed browsers, which only Chrome matches, is a bad joke.
Turning the talk of a bug bounty program into a discussion on open versus closed source is just as bad.
People are not finding the major security vulnerabilities in these browsers by sifting through their source code; they are doing it by using fuzzing and similar debugging techniques designed to break
Re: (Score:1)
Re: (Score:1)
Ever heard about "forks"? They were already executed many times when majority of community did not like direction where project was going. So, as true AC, you spew crap.
Re: (Score:1)
Oh, right. Well, I'm sure if they truly wanted my help making their browser better and more secure, they'd be okay with letting me take a peek at the source code
It's called Microsoft Shared Source Initiative [microsoft.com]
You just have to meet certain pre-requisites: you need to be an enterprise with 1500 licensed windows seats, sign a big fat NDA, and intend to use the source code for an eligible reason.
Re: (Score:1)
They'd be gone in a week (Score:5, Funny)
Re:They'd be gone in a week (Score:5, Insightful)
And a lot of bugs can't be fixed because old applications rely on them and people only buy Windows for backwards compatibility.
When I was writing Windows video drivers years ago we had to deliberately put bugs into our drivers to match the bugs in the stanadrd Windows drivers because various popular applications would fall over without them.
Re: (Score:1)
You say that like its a bad thing. (Score:1)
I can wish.
I would love to see both M$ and Sony complete liquidated.
Re: (Score:2)
Re: (Score:3)
You're right. They're cash position has been slowly degrading and sales are not what they used to be. What is telling is that they got hit by this last depression harder than Apple. They are tied to businesses and home markets, both vulnerable to economic down turns. Apple sells many low priced things, music downloads and low end iPods are examples, that they have actually been growing. MS has been losing market share as well to Linux and Apple. The slow squeeze is on and there seems to be no equivalent of
Re: (Score:3)
Perhaps you need to review Microsofts financials before saying such silly things. 2009 was the only year in which sales went down, 2010 they increased by 7%, and so far expectations are that they will increase by 15% (approximately).
Date / Sales / Growth
June 30, 2011 $71.85B 15% (estimated)
June 30, 2010 $62.48B 7%
June 30, 2009 $58.44B -3%
June 30, 2008 $60.42B 18%
June 30, 2007 $51.12B 15%
June 30, 2006 $44.28B 11%
June 30, 2005 $39.79B 8%
June 30, 2004
Re: (Score:3)
Stop being so anti-Microsoft. It would take a month at least for them to go bankrupt this way.
Re: (Score:1)
Are you kidding? If Microsoft paid for every bug in Windows, they'd be bankrupt in a week!
They could adopt a policy of paying $100 each to the top 500 people each week by number of confirmed vulnerabilities.
They would certainly end up (Score:2)
Can MS afford bug bounties? (Score:2)
Re: (Score:1)
A dent.
But shortly they'd have very few bugs, and still have something to sell.
And then it'd be worth the money. Maybe more. Likely more.
And they'd soon be even richer.
So bug bounties would be a wise investment.
Hard to even submit MS bugs. (Score:1)
Re: (Score:3)
It's like they would rather pay you to NOT submit bugs.
That's a lot cheaper than fixing them.
MS bug-submission form (Score:5, Funny)
Microsoft Bug Submission Form [slashdot.org]
Re: (Score:1)
Any time a process goes tits-up on my machine, it reports that it's checking for a solution to the problem, then that it's reporting the problem.
That's not the same as being able to report that I don't like the way they've mis-implemented a feature, but it makes reporting crash-bugs painless.
I don't recall hearing of Linux or OSX phoning home to say it crashed. Where did MS get the idea?
Re: (Score:2)
OSX with 10.4 has had Crash reporter.
when safari crashes a dialog box comes up that says close(and the app quits), reopen, or report.
I always click close, and the reopen after the memory clears.
When running both firefox and safari for several weeks at a time I find that I have to close both wait 2 mintues for the system to clear the memory blocks and reopen. everything returns to normal speed after that.
Re: (Score:1)
I wish Firefox would be a little smarter about that. It's annoying to try to open an app, have it tell you that it's already running, then have to close that message box and open the app again. I've never seen the message appear on the second open, no matter how quickly I attend to it, so why doesn't the dialog just say "wait a second while we clean up in here"?
Re: (Score:2)
The only reason I know is because I usually am running utility monitor and watch it take firefox and safari an extra minute or so to quit. Heck even just running a memory manager you can wait for it to drop drastically and then you know firefox has been unloaded.
Re: (Score:2)
Any insight as to what Firefox is doing with that time? Garbage collection would be pointless after a termination signal. All the config stuff seems to be persistent the moment it's modified. Cached info being stored? Maybe. Running mass quantities of heavyweight destructors may be the bottleneck, depending on how they've chosen to implement solutions to their famous memory-leakage problem. It's clear they don't have a "we're quitting, just drop it and walk away" policy for a lot of their objects.
They are paying one way or another (Score:1)
Guess what Microsoft? (Score:4, Insightful)
There is good money to be had selling discovered vulnerabilites. If you keep refusing to offer a bounty, they'll happily find someone else to pay for its discovery.
#3) Penetrate and Patch (Score:1, Interesting)
Re: (Score:2)
The Six Dumbest Ideas in Computer Security [ranum.com]
No no... It's not a dumb Idea, well, not initially anyway, but you got it wrong, it's: Penetrate the patch.
The problems arise if you keep at it for long enough...
Re: (Score:1)
That's the most retarded thing I've ever read. It essentially says that you're code shouldn't ever have bugs... this is reality, bugs exists even in good code.
Re:#3) Penetrate and Patch (Score:4, Insightful)
Correction, no *known* bugs. There is no such thing as "bug free". Did you factor in the framework? The OS? I thought not.
Re: (Score:1)
Aren't you fucking genius.
Re: (Score:1)
Re: (Score:1)
In Soviet Microsoft.... (Score:1, Flamebait)
No seriously, if you are a lowly person that found and confirmed a bug, you have to pay them to talk to them.
So yeah... Fuck Microsoft.
I found a bug in BASIC V2 (Score:1)
POKE781,96:SYS58251 makes my screen do funky things.
Re: (Score:1)
POKE781,96:SYS58251 makes my screen do funky things.
Never caught that one.
Is it like MISSINGNo. ?
Don't know about Bounties... (Score:2)
But Microsoft could definitely use more Fletcher Christians and fewer Captain Blighs.
Re: (Score:2)
You may be right, but remember that Bounty is the "quicker picker upper". In today's security climate speed is a plus.
Microsoft has always dealt with bugs as a PR issue (Score:2)
Since Microsoft has a habit of ignoring the issues that get reported without a bounty, I don't see how adding one would improve the issue.
One of the reasons for Full Disclosure is to pressure companies that think of security vulnerabilities as a PR problem instead of an urgent technical issue. If the first reaction you get from a company is "this only effects a small handful of users" then they are trying to patch through spin instead of fixing the problem. Microsoft is not the only one that does this, but
What about a different kind of bounty? (Score:2)
What if, instead of Microsoft sponsoring bounties for bugs in Microsoft code, we all just started a pool ourselves to fund a bounty for Microsoft coders?
It doesn't cost that much, surely someone must know a guy who knows a guy?
Clearly, since we can't fix the bugs ourselves, the most efficient solution is to make sure no more bugs can be introduced... Let's end the problem at it's source!
Re: (Score:2)
Why do I want to help a company which I regard as an enemy?
I don't want them to improve, I want them to fail, badly.
Microsoft is not serious about its products. (Score:1)
Wow that's surprising (Score:1)
It's not just a practicality question (Score:5, Insightful)
It's also a philosophical question. Microsoft as an organization believes that the best possible way of producing software is to hire the smartest programmers you can get your hands on, give them a carefully honed specification designed by the best marketing and UI people you can get their hands on, directed by the best management you can get their hands on, and have them go to work. And if you're Bill Gates, this really does seem like the right way to do business.
The trouble is:
1. You can't get your hands on all the smart people in the world.
2. Even if you could, enough people hammering at software in every way imaginable has a way of uncovering problems that the smart guys hadn't even thought of. I'm talking about stuff like "I didn't know that they were going to try to use some sort of wildly different equal sign Unicode code point from Cyrillic instead of a UTF-8 '='". That makes the population of users a much better source of uncovering obscure bugs than the best QA team could ever manage.
3. Linus's Law suggests that when somebody uncovers these sorts of obscure bugs, there's somebody in the world who could figure it out pretty easily. Using my earlier example, chances are that in the whole of Russia, there's somebody who really is interested in Unicode in a way that no sane person ever would be, and because of that developer's familiarity with Unicode and Cyrillic is going to have a good idea how to fix the bug in the best way possible. It may not be perfect right off the bat, but it will be started in the correct way because the person in question has the exact specialized knowledge needed to solve the problem. So the population of programmers not working for Microsoft is going to outperform Microsoft's programmers by sheer numbers if nothing else.
4. ESR pointed out that the guy in Russia interested in Unicode is far more motivated to fix a hypothetical Cyrillic Unicode bug than a programmer working in the bowels of Microsoft's headquarters, because it's a bug that affects them directly in a field they care about.
In other words, Microsoft can't win these kinds of fights, but they can't give up the belief that they can win these kinds of fights. Hence they won't change, no matter how much they should.
Re: (Score:2)
Re: (Score:3)
What you describe hasn't been my experience. I see TWO orders of magnitude more bugs reported by Microsoft's QA than by external parties (in the field of compiler development). I guess end-users just aren't interested in whether an async lambda inside an anonymous type declaration triggers invalid codegen, and wouldn't even discover the issue until the language feature has been in widespread use for five years, but internal QA will discover the bug before the feature ships. On your question of unicode bugs,
Re: (Score:2)
What you describe hasn't been my experience. I see TWO orders of magnitude more bugs reported by Microsoft's QA than by external parties
So you're saying that more bugs are reported by people who get paid to report them than by people who don't. Obviously that has to make us wonder what would happen if non-employees could get paid for reporting bugs.
Re: (Score:2)
Good point. If we do accept this premise that paying people is the best way to get bugs filed, then it becomes an economic and moral question:
* Does the "bounty" system find better bugs per dollar spent once you factor in the wasted costs of administering the bounty system, or the current "salary" system? In other words, has the free market pegged the salary level of Q&A staff incorrectly?
* If the "bounty" system is indeed more cost effective, is that because we're exploiting the bounty-hunters by getti
Re: (Score:2)
There is a questionable assumption implicit in your first question, which is that a small number of QA people working full-time is equivalent to a large number of people working part time. I think there's a strong argument to be made that when searching for security bugs it's important to use a large variety of approaches. One grad student or independent researcher may well come up with an angle that none of the QA team members would ever have come up with -- not because he's necessarily smarter, but beca
Re: (Score:2)
What you describe hasn't been my experience. I see TWO orders of magnitude more bugs reported by Microsoft's QA than by external parties (in the field of compiler development). I guess end-users just aren't interested in _____
Halt Give me the source code. Then, and only then, can you make such a comparison... I do care, but I just thought it was a bug somewhere else in my project that I hadn't ironed out... With open source compilers (such as LLVM and GCC/G++), I can check the source and SEE if my hunch is correct or not -- it is rarely, but sometimes is a compiler bug -- Screw your half-assed attempt at comparing black-box to white-box bug analysis.
Additionally, Quit you tard! GTFO our compiler! YOU are the F*Ing proble
Re: (Score:2)
So what you're saying is... "In Soviet Russia, bugs find you!" ?
Re: (Score:2)
Most of the bugs are not nearly so obscure as what you're suggesting, although some are discovered by people quite far away. A video with Bruce Dang of MS speaking at the 27th Chaos Communication Congress is revealing. He spoke on behind the scenes thinking and fairly early/rapid analysis done in looking at Stuxnet and seeing what/how it exploited in Windows in multiple ways with 100% reliability.. (The talk does not cover the far more serious aspects of Stuxnet, the PLC- targeting payload or the implica
It would be too costly (Score:2)
Microsoft may have to pay users (Score:2)
Kurt Werle says:
"Microsoft may have to start paying users in order to stay relevant."
Now can we have a stupid article that quotes me?
Headline: "Should Microsoft pay its users?"
Because saying something stupid seems to be the bar for getting mention, here...
Microsoft's real security problem (Score:3)
The real problem with Microsoft's Windows is support for Legacy Hardware and Software.
Microsoft Windows wan't designed to be secure in the first place. Even Windows NT-based OS's reintroduced legacy support for backward compatibility; a strategic blunder to pander the ultra-conservative developer base.
The Application Developer Base is refusing to adapt to new, secure API's like .NET, especially in the corporate sector, and is sticking to legacy API's like Win64, Win32 and even Win16.
Plugin Developers still program insecure ActiveX and NS-Plugins, as well as Toolbars.
Hardware Manufacturers are refusing to write drivers that adhere to the new security models.
The only way MS can make Windows secure is to do what it should have done with the introduction of WIndows NT and removed Legacy Support. It worked for Apple with Mac OS X and the "Classic" and "Rosetta" virtual machines. Microsoft are trying to do it with the Windows Ultimate "XP Mode", but failing.
They need to make the commitment and tell developers "If you don't do it our way, it won't work in Windows 8, or Windows 9, or whatever." They need to tell their Corporate customers, "If you're still running XP because of some stupid Legacy software, we're going to cut you loose next year. We won't be supporting you."
They don't think they can do this incase their customer base jumps ship to Mac or Linux. Even though it is a risk, they can because the majority of their user-base want Cheap Hardware and Easy-to-use Software, which rules out both Mac and LInux. They are locked into whatever Microsoft dictates.
Re: (Score:2)
They need to make the commitment and tell developers "If you don't do it our way, it won't work in Windows 8, or Windows 9, or whatever."
They already did. There were programs that broke really badly in Vista because developers were continuing to use interfaces that were marked as deprecated and going away. Microsoft had for years refused to certify these same programs as "Designed for XP" (or whatever it was called) because they used the obsolete interfaces.
It turned out really badly for them. People blamed Vista for the bugs. I had to explain the situation to lots of users and informed them that it was actually the software companies' fault
Re: (Score:2)
The Application Developer Base has billions of lines of working code that they don't have the budget to rewrite in .NET. I look forward to the day when Microsoft try to dictate to their corporate customers and their corporate customers, just like they did with Vista, will say 'screw you we're not buying something that doesn't run our software'. XP Mode exists because, out in the real world, software can't just be rewritten on a whim or because Microsoft say it should be, and in fact should be on all versio
Meh (Score:2)
The Quote of The Day says it better than I can... (Score:2)
Divq zr nakvif fiz?
Enssvavreg vfg qre Ureetbgg nore obfunsg vfg re avpug. -- Nyoreg Rvafgrva
Ertanag cbchyv.
frzcre ra rkperghf
FRZCRE HOV FHO HOV!!!!
I believe that last one says, something about crying out for "Help" "Help", or calling out for "Security!" -- What language is this -- seems vaguely familiar... almost like when Dance Dance Revolution moves scroll up the screen, and I think: Holly Hell -- These Brainfuck coders [wikipedia.org] have some messed up concepts of fun!
Not for money - for making future stuff better (Score:2)
Find a bug in Firefox or Chrome and you're helping make a product better that will make future products better.
Find a bug in IE and there is a likelihood that few people will ever use that code to make future products better.
The people who find many bugs are the people looking to find bugs and make products better. And they report those bugs along with reproducible steps.
The people who stumble upon bugs are trying to get other work done - they have no time or inclination to halt their work, figure out what
Public bug tracker. (Score:2)