Bill Gates Should Buy Your Buffer Overruns

Slashdot regular Bennett Haselton has written in with his latest essay. He starts "WabiSabiLabi generated some controversy recently by announcing their eBay-like site for security researchers to sell security exploits to the highest bidder. But WabiSabiLabi didn't create the black-and-grey market for security exploits, they merely helped draw attention to it. There's nothing that companies like Microsoft can do about the black market where security exploits sell for tens of thousands of dollars, but there's one obvious thing they can do to help protect users: offer to buy up the security vulnerabilities themselves. If they did that, then the exploits would probably never make it onto a black-market auction in the first place, because the "white hat" researchers would have found them and reported them first. Thus I think WabiSabiLabi is doing the world a favor, by shining a spotlight on the black market that thrives when companies won't pay for security bug reports." Click that magical little read more link below to continue the thought.

Really, what is a good argument against companies paying for security exploits? It's virtually certain that if a company like Microsoft offered $1,000 for a new IE exploit, someone would find at least one and report it to them. So the question facing Microsoft when they choose whether to make that offer, is: Would they rather have the $1,000, or the exploit? What responsible company could possibly choose "the $1,000"? Especially considering that if they don't offer the prize, and as a result that particular exploit doesn't get found by a white-hat researcher, someone else will probably find it and sell it on the black market instead? (Throughout this discussion, I'm using Microsoft as a metaphor for all companies which have products in widespread use, and which do not currently pay for security exploits even though they could obviously afford to.)

Perhaps you say that you would be willing to report bugs to Microsoft for free, and I respect people who do that out of selflessness, but that's not the point. Even if you and some other people would do "white-hat testing" for free, there are more people who would do it if there were prizes. The amount of people willing to do security testing for free, has not been enough to keep exploits from being found and sold on the black market -- but if Microsoft offered enough money, it would be. Obviously if Microsoft offered more than the black-market prices, everyone would just sell their exploits to them. But probably Microsoft could offer much less than the black-market prices and still put the black market out of business, because there are lots of researchers who wouldn't sell exploits on the black market even for tens of thousands of dollars, but would be willing to participate in a legal Microsoft "white hat" program for much less money.

Microsoft would undoubtedly say that they do their own in-house testing, and indeed the offer of a prize should not be used as a substitute for good security testing within a company. But at the same time, the fact that a company does their own testing isn't a good reason for not offering a prize. If a company says that they already do their own in-house security audits to catch as many bugs as they can, that still doesn't answer the question: given that a cash offer would probably result in an outsider finding a new exploit that they missed, why wouldn't they want to take it? Even if there are already outsiders who willingly find new exploits and turn them over to Microsoft for free, there's almost certainly at least one more exploit out there that would be found if they offered a cash prize. (And if the cash prize doesn't turn up any new exploits, then the company doesn't pay out and has lost nothing.)

I've done security consulting for companies like Google and Macromedia who paid me "by the bug", so you might think I'm biased in favor of more such "bounty" programs because I think I could make money off of them. Actually, I think that if Microsoft and most other large software companies offered security hole bounties to everyone in the world, almost all exploits would be picked clean by other people, and my chances of getting anything out of it would go way down, and there would be one less buffer protecting me from having to get a real job. But most people's computers would be safer.

Microsoft does in fact "pay" for security exploits in their own way, by crediting people in their security bulletins. To some people, who report exploits in hopes of being recognized, this is apparently enough. And there are third-party companies like iDefense who will buy your security exploits and then use them to gain reputation-credits for themselves, by handing them over for free to the software developer and warning their own clients about the potential risks. But there are a lot of people including me who have found exploits in the past, but don't consider the benefits of being mentioned in a Microsoft security bulletin to be worth the effort of finding a new one. And even the benefits that iDefense gets from reporting security holes, are evidently not sufficient for them to offer enough money for exploits to compete with the black-market prices (if iDefense got that much benefit out of it, then they'd be able to offer so much money that nobody would sell exploits on the black market). So using recognition as payment is evidently not enough; as Lord Beckett says, "Loyalty is no longer the currency of the realm; I'm afraid currency is the currency of the realm."

A cash prize program might mean that some people get mad when they are turned away for offering "exploits" that don't really qualify, but so what? What are they going to do for revenge, release their "exploit" into the wild? If it's not a real exploit, then it won't do any harm, and if it is a real exploit, then Microsoft should have paid them after all! Some people might threaten to sue if they aren't awarded prizes, even if the rules of the program state clearly that Microsoft is the final arbiter of what counts as an exploit. Maybe in some rare cases they would even win. But all of this could be considered a cost of running the program, just like the cost of giving out the prizes themselves -- and all insignificant compared to the cost of an exploit that gets released into the wild and allows a malicious site to do "drive-by installs" of spyware onto people's machines.

Probably the real reason Microsoft doesn't pay for security exploits is that they don't pay the full price for those drive-by installs and other problems when a new exploit is discovered. I've heard hard-core open-source advocates say that either (a) Microsoft should be held liable for the cost of exploits committed using flaws in their software, or that (b) users of Microsoft software should be held liable for exploits committed through their machines (which would drive up the cost of using Windows and IE to the point where nobody would use it). If that happened, Microsoft probably would pay for security exploits to forestall disaster. But let's make the reasonable assumption that neither of those liability rules is going to come to pass. The real price that Microsoft currently pays for security exploits is in terms of reputation, and the price they're paying right now is too low, because people don't realize that Microsoft could find and fix a lot more bugs by spending only a tiny amount of money -- but chooses not to. Despite all the snickering when "Microsoft" and "security" are used in the same sentence, most people seem to believe that Microsoft is doing everything they can to prevent users from being exploited. But as long as Microsoft doesn't pay for security holes, they're emphatically not doing "everything they can".

It's not that I think security bosses at Microsoft are trying to screw anyone over. They probably just have an aversion to the idea of paying for security holes, and what I'm arguing is that such an aversion is irrational. The people they would be paying money to are not criminals or bad people, they're legitimate researchers who just can't afford to do work for Microsoft for free when they could be doing something else for money. Offering cash will bring in new exploits, and every exploit that is reported and fixed is one that can't be sold on the black market later.

There are some interesting details that would have to be worked out about how such a program would be implemented. For example, what happens if Bob reports an exploit, and then Alice later reports the same exploit, before Microsoft has gotten a chance to push the patch out? Microsoft wouldn't want to pay $1,000 to both of them, because then whenever Bob found an exploit, he could collude with Alice so that they both "independently" reported the same bug and got paid twice. Microsoft could pay only Bob, but Alice could get so disillusioned at getting paid nothing that she might stop helping entirely. My own suggestion would be to split the money between all researchers who report the same bug in the time window before the fix is pushed out. If 10 researchers happened to report the same bug and each only got a paltry $100, some of them would quit in disgust, but if researchers start to leave because the average payout-per-person has fallen too low, then that will drive the average payout back up, so the number of active researchers stays in equilibrium.

Another issue: What happens if a researcher reports an exploit confidentially, and then the next day, the exploit appears in the wild? If Microsoft's policy was that they would pay for the exploit anyway, then a researcher would have no incentive not to sell the exploit twice, once to Microsoft and again on the black market (whereupon it might start being used in the wild). On the other hand, if Microsoft refused to pay for exploits that were released in the wild before they issued a patch, then that might leave many researchers feeling cheated if they turned in a genuine exploit and got nothing just because someone else sold it on the black market before the patch came out. My suggestion would be to simply pay for exploits even if they did subsequently get released on the black market -- on the theory that of the white hat researchers who turn in bugs to Microsoft, most of them would be ethically opposed to selling exploits to black marketeers, so they shouldn't be punished if the exploit ends up on the black market since they probably weren't the ones who put it there. Another would be to make the payout so large that even if researchers got no payment when the exploit got leaked into the wild before a patch was issued, the payout from the times that they did get paid, would more than make up for it.

But whatever rules are decided upon, there should be some sort of monetary rewards for people who confidentially report security flaws to big software companies. Whatever you can say about the merits of rewarding people through "recognition", or through social pressures to practice "responsible disclosure", the one obvious fact is that it hasn't been enough -- exploits still get sold on the black market, and every exploit that gets sold on the black market, would have been reported to Microsoft if they'd offered enough money. The talent is out there that could find these bugs and get them fixed. Most of them just can't afford to donate the work for free -- but the amount of money Microsoft would have to pay them, is far less than the benefits that would accrue to people all over the world in terms of fewer drive-by spyware installs, fewer viruses, and fewer security breaches. And if these benefits were reflected back at Microsoft in terms of greater user confidence and fewer snide jokes about "Microsoft security", then everybody would win all around. There are no barriers to making this happen, except for a mindset that it's "bad" to pay for security research. But if you prevent millions of Internet Explorer users from being infected with spyware, you deserve to at least get paid what Bill Gates earns in the time it took you to read this sentence.

Both ends against the middle

[Gothmolly]

Why couldn't I sell my exploit to the black market, THEN sell it to Microsoft a day or two later?

-1, Duh

Re:Both ends against the middle

[illegalcortex]

You could, and that would probably still be a GOOD thing. Because if MS fixed it quickly, it means those who purchased the exploit would get a lot less for their money. Therefore, they'd be less willing to buy exploits in the future, or at least pay less.

Such a market wouldn't be about *exclusive* knowledge of exploits.

Re:Both ends against the middle

[Joebert]

Because whoever you sold it to on the black market would more than likely make your life a living hell, if not just kill you if they ever found out you did that.

Re:Both ends against the middle

[altoz]

That'll work once but won't work the next time. Any market has its reputation system and if you're known to sell to both (an obvious thing since Microsoft will have patched it shortly), I'm sure people will bid less and less for your exploit.

Plus, do you really want to screw over black market customers? They're not your typical customers. I'm sure they'll do a lot worse than not shopping from you again if you screw them over (think identity theft or worse).

Re:Both ends against the middle

[MysteriousPreacher]

Depends who you sell it to. Double-cross the wrong people and I reckon you'd be getting a beating from some nasty gentlemen. The criminals who bought the exploit might also be a bit violent.

Re:Both ends against the middle

[HappySmileMan]

You coudl easily do it, but it'd get patched by MS quicker than if you only sold it to black-hats

Re:Both ends against the middle

[dvice_null]

I got the perfect solution for Microsoft. They should call their next version of Windows a "Sheep". What kind of a criminal would risk getting cought and ending up in news articles that have titles like "Mr X got cought exploiting a hole in Sheep". How would you explain that to your parents?

Re:Both ends against the middle

[shmlco]

So why not sell it to Microsoft first, THEN sell it to someone else. Odds are that they can make use of it before Microsoft gets around to fixing it and releasing it on "patch Tuesday".

Although, when you stop to think about it, what's really stopping someone from selling it as many times as they want? If they're the kind of person who'd create it and sell it in the first place, I'm supposed to believe their "promise" that they won't sell it to anyone else?

"No, no. This is the only copy of the disk. Really."

Re:Both ends against the middle

[TubeSteak]

Because if MS fixed it quickly, it means those who purchased the exploit would get a lot less for their money.

That is a huge assumption to make.

MS regularly sits on vulnerabilities for months instead of patching them.

By creating such a marketplace, MS effectively gives away information on which non-public vulnerabilities they are aware of, but have yet to patch. That can't be a good thing.

Re:Both ends against the middle

[Kadin2048]

Although, when you stop to think about it, what's really stopping someone from selling it as many times as they want? If they're the kind of person who'd create it and sell it in the first place, I'm supposed to believe their "promise" that they won't sell it to anyone else?

Um, threat of a very, very painful death? You'd be dealing with some very unpleasant people here; I think they might interpret such behavior as treachery.

Re:Both ends against the middle

[camperslo]

That'll work once but won't work the next time. Any market has its reputation system and if you're known to sell to both (an obvious thing since Microsoft will have patched it shortly), I'm sure people will bid less and less for your exploit.

If sellers with bad reputations on Ebay manage to come back with another identity and continue business as usual it seems plausible that those marketing hacks could do the same.

Plus, do you really want to screw over black market customers? They're not your typical customers. I'm sure they'll do a lot worse than not shopping from you again if you screw them over (think identity theft or worse).

If that's really the case and there's enough identity for the sellers out there to be stolen, perhaps selling worthless hacks using a sellers identity is a way to combat them?

Re:Both ends against the middle

[kimvette]

MS regularly sits on vulnerabilities for months instead of patching them.

Why should they fix it in the current version of Windows? There has to be a compelling reason to upgrade to the next version of Windows, and in the case of Vista, DirectX 10, the Playskool-style interface and [continue]/[cancel] thing just aren't cutting it.

The next version of Windows will be the most secure Windows release ever. Upon it's release: Windows 2010: Upgrade now! Better virus protection! Less prone to spyware (except Microsoft-preinstalled spyware,)!

Re:Both ends against the middle

[giminy]

Therefore, they'd be less willing to buy exploits in the future, or at least pay less. ...Or they'd be more willing to pay you a visit...a lot of the people buying these zero-days are Chinese military and other government-funded security groups. Not exactly the type of people that I would want to cross (or even be involved with, for that matter).

Reid

Re:Both ends against the middle

[FurryFeet]

"But she had such pretty eyes".

Re:Both ends against the middle

[man_of_mr_e]

MS regularly sits on vulnerabilities for months instead of patching them.

So does Apache, Mozilla, and pretty much any other software vendor, either open or closed source.

You don't really buy into that "flaws are fixed in 24 hours" BS that people like to claim about open source, do you?

Here's a clue. When a patch is released. Look at the date the CVE was created, in almost all cases the CVE was created weeks or months earlier. It's just that the vulnerability doesn't get publicly disclosed until a patch is made available. The only exception to this is when a highly critical flaw gets publicly disclosed by third parties before a patch is finished, then they move quickly.

Don't believe me? Do your own research. It will surprise you.

Re:Both ends against the middle

[That's+Unpossible!]

Why should they fix it in the current version of Windows? There has to be a compelling reason to upgrade to the next version of Windows

That may have been true 5 years ago, but leaving Windows insecure gives people just one more reason to switch to Macs or Linux boxes, and pitch the same idea to their bosses. It did for me, and now our company has a Mac on every desk.

Re:Both ends against the middle

so that people would be trust M$ and would be willing to purchase other M$ products. you wouldn't buy another car from same mfr if one gave you trouble and mfr refused to do anything about it. would you? at least there should be a perception that M$ is fixing the problem. and there shouldn't be too many fixes either otherwise people would assume that M$'s QA dept doesn't exist.

Re:Both ends against the middle

I work at MS in Windows Security Test Operations. I'm posting AC because, well, I know that my station will make me instantly hated here (even though, swear to fsm, I only run Ubuntu and OSX at home, lol - even run WoW on wine).

We know about a lot of bugs, waaaay more than the public even knows about (hard to believe, I know) but it's not like we're just sitting around with our thumbs up our asses pissing in to the wind while we light joints with your burning money. We, like most people, (try to) take pride in what we do and we're working really damn hard to fix these problems (although the devs don't make it easy >_>).

My point is that there is no secret plot to purposefully leave bugs unfixed. That idea is just fucking retarded. If it doesn't work just accept that the devs wrote/designed it poorly. There's a lot of shit wrong with this company; it's a 10,000 pound gorilla and no decision gets made without a thousand sign-offs, meetings, and mountains of steaming bureaucratic bullshit, but seriously, there's no evil plot and it isn't the Legion of Doom (even if the end result is the same as if it were...and even if Balmer looks a like Luther).

Re:Both ends against the middle

[bulliver]

Um, threat of a very, very painful death? You'd be dealing with some very unpleasant people here

OH NO! Geeks! Run!

Re:Both ends against the middle

[Ant+P.]

There has to be a compelling reason to upgrade to the next version of Windows, and in the case of Vista, DirectX 10, the Playskool-style interface and [continue]/[cancel] thing just aren't cutting it. That's all part of MS's clever money-sucking plan. In the next version the selling point's going to be the lack of those.
In fact, I'd wager that was Windows ME's sole purpose.

Re:Both ends against the middle

[slashqwerty]

How would you explain that to your parents?

Probably the same way this guy did.

Re:Both ends against the middle

[Meski]

What kind of criminal? A kiwi :)

Re:Both ends against the middle

[CarpetShark]

"Mr X got cought exploiting a hole in Sheep". How would you explain that to your parents?

Bill MADE me do it? ;)

Will they really only sell it once?

[beuges]

What's to stop someone getting paid big bucks by microsoft for vulnerabilities, and then reselling the same exploits to the next highest bidder as well? I'd imagine that the people in the business of selling exploits to the highest bidder aren't the most ethical types to begin with.

Re:Will they really only sell it once?

[h4rr4r]

This is why the best system is to make it open.
Then everyone knows about it and at least the users have a chance to work around the issue.

Re:Will they really only sell it once?

[Plutonite]

Because if you do that once or twice you will get tracked down via the money lead. If I were MS or any other customer I would require some identification, preferably through the financial institution that I'll be sending the money to.

Re:Will they really only sell it once?

[kebes]

But who is the "next highest bidder"? If you sell your vulnerability to MS and also the black-market, for instance, then you're screwing both of them... and they will notice. MS will notice the vulnerability in the wild, and if it happens repeatedly, they will probably stop trusting you.

If the black-market guys notice that MS came up with a patch surprisingly quickly after you sold them the exploit, they are going to be very angry, because you've very much decreased the value of the exploit. And I would imagine that cheating black-market guys is not a smart thing to do... if they lack ethics in the "break into computers" department they may behave similarly in the "break your legs" department.

So, at the end of the day, how are you going to sell an exploit twice? Few would try, and fewer still would get away with it.

Re:Will they really only sell it once?

[Jeff+DeMaagd]

I wouldn't worry about it. The original post has some misguided view of reality, with a misguided enough perspective to not realize what is wrong with it when put to practical use.

Re:Will they really only sell it once?

[The+Dark+Illuminati]

Yes! its correct.

Re:Will they really only sell it once?

[The+Dark+Illuminati]

Just to see how this works.

could make sense...

I wonder what the real cost of finding an exploit is for a company like Microsoft... If its more than a 1,000 dollars then they should fully embrace this model

Bad Idea

[hauntingthunder]

"what I'm arguing is that such an aversion is irrational"

You will get scum atempting to extort money from companies.

Offer mony for doing bad things and people will do bad things

Economics

[gad_zuki!]

If MS offers 10,000 dollars per exploit then thats going to be the minimum bid in the market. Someone will then offer 10,500 and the enterprising hacker will go for the extra cash. I dont see how MS's involvment can help this.

What might be more interesting is to dock 10,000k from the salaries of the security team everytime someone finds a serious exploit. Sometimes punishments are far more effective than rewards.

Re:Economics

[cowscows]

Yeah, except that you'd very quickly find yourself without a security team.

Re:Economics

[MartinG]

What might be more interesting is to dock 10,000k from the salaries of the security team everytime someone finds a serious exploit

Who the hell is going to work there with such an utterly idiotic policy?

Surely one aspect of this is that they should be looking to attract good people to the team. Threats of "fines" is hardly the way to do it.

Re:Economics

[Fx.Dr]

So what you're saying is - Microsoft has nothing to lose?

Re:Economics

[fermion]

In summary, the exploit will generally be more valuable to the attacker than the defender, for many different reasons. Mainly, a baddie might buy a ten exploit for $150K, use one or 2, perhaps make 200K, and while the profit margin may not be great, a profit might at least be generated. On the other hand, MS might get those same exploits for $100K, but where is the upside? Did the exploits cost them anything? No, they externalize all those expenses to the government and the customer. Sure they can afford to lose that $100K, they probably lose that much every week on xBox, but unlike xBox buying exploits does not buy them marketshare, at least not yet.

Then we have more insidious versions of this story. Sell two low level exploits to MS, get 20K. Use the 20K to capatilize a third major exploit. Such a plan, in recursion, will finance quite a nice bot shop with no money down.

Ultimately, this is not something that will be solved by hiring people to chase the horses after the barn door has been left open. It is similiar to missle defense. In principle it is not all that hard(although in principle it is really hard), but even after solving the really hard physics issues, one realizes that, for instance, once the launch vehicle has released the payload, say 100 projectiles, only one of which is live, it becomes a numbers game of the defender having to pay for 100 live interceptors, while the attacker only has to pay for on one live munition.

So, we get back to the recommendation of writing good code. And good code is not code without errors. Good code is code in which errors can be fixed quickly, and the extent of the codebase effected by said changes are limited. What we see with MS is not that the code has bugs. All code has bugs. It is that bugs appear to be, at least in some cases, difficult to fix, and sometimes those fixes break things that should not necessarily be related.

Re:Economics

[Smidge204]

What might be more interesting is to dock 10,000k from the salaries of the security team everytime someone finds a serious exploit. Sometimes punishments are far more effective than rewards.

Let's fire one police officer for every crime that isn't prevented. Brilliant!

Here's a thought. Read the entire summary - the theory is to have an incentive for white/gray hats to get more involved, and so decrease the value of exploits by finding and patching them sooner. There is nothing you can do about the people who would look to sell them on the black market anyway, but you can entice other, more ethical people to get involved and tip the scales.
=Smidge=

Re:Economics

[krazo]

I think a lot of the issues could be resolved by not having the vendor pay the exploit finder directly and instead allowing people to speculate on the probability of a particular exploit being found.

This has a lot of parallels to the Policy Analysis Market where the defense department tried to set up a futures market for predicting political developments in the middle east. There are some moral issues around the fact that you might be rewarding the wrong people with the system. My personal take is that information has some value when it's unknown and it may be the case that the "bad" people are the only ones with that information. It's worth rewarding them to get them to give that info up.

A predictive futures market in exploits might work well. If a contract appeared stating that a vulnerability in Java's image processing code would be found in six months and the price went through the roof, then Sun would know where to start investigating. When they found the exploit, the people who predicted it early would get paid off. It basically rewards people with insider information.

A person who discovered an exploit would then be able to buy contracts for that exploit low, push the price higher, potentially by publicizing his/her having found it and then publicize the exploit when he/she felt the price was at its peak.

Trying to shop a vulnerability around the black market would inherently cause the price to rise as well, keying off the vendor to a possible exploit.

Also, (if my theoretical economics are correct) the stable price of an exploit contract would indicate its overall probability (x product is secure or not.)

Re:Economics

[vertinox]

What might be more interesting is to dock 10,000k from the salaries of the security team everytime someone finds a serious exploit. Sometimes punishments are far more effective than rewards.

Wrong. Studies have shown that negative reinforcement often has the reverse effect due to the fact it breeds contempt. After you punish the security so much that they have little left to work for, they'll probably start including exploits for spite.

Its human nature.

Re:Economics

[digirus]

Or use physical punishment. Let Balmer throw chairs at the security team.

Re:Economics

[hotdiggitydawg]

No, he's actually saying Microsoft has a lot of dead weight to lose...

Re:Economics

[Arterion]

10,000k? I don't think their entire security team combined makes one hundred million dollars. We don't really know -- maybe the security team is great, but either understaffed, or unheeded by the people responsible for fixing the bugs. It might not be the individuals, it might be the bureaucracy.

Re:Economics

[Sapphon]

Having the minimum bid price raised to $10'000 isn't an issue if Microsoft, as discussed in the write-up, continues to offer the $10,000 even after the bug has been sold on the black market. In this scenario, it's no longer a single market, and the economically rational thing for the exploit -finder to do is to sell the exploit to both parties.

I've seen posts arguing that if you do this (sell to both), the black market will stop trusting you and won't pay for your exploits. In that case, those sellers may choose not to sell their exploits to Microsoft. However, people usually value legal earnings more than illegal earnings; raising the costs for the black market exploit purchasers can't be a bad thing, and; people who wouldn't sell to the black market would probably sell to Microsoft, making the price difference irrelevant.

Re:Economics

[AP2005]

Reminds me of Knuth's checks for typos and code errors (http://en.wikipedia.org/wiki/Knuth_reward_check). You get $2.56 for finding a bug and the amount doubles every year. MS should do something interesting like this to appeal to hackers. Also, MS can offer something the black market cannot - recognition. What if in addition to the money, they acknowledge the person too. It seems that this might be quite valuable to hacker types.

Re:Economics

[Oktober+Sunset]

What would you rather have, an extra 500 dollars or knowing that you don't have to worry about the feds kicking your door in and dragging you off to jail, or worse, the Russian Mafia dragging you of to a meat locker somewhere to face Boris the Bear and his assorted woodworking tools who informs you 'Exploit not be working, now I show you how Boris do hacking, eh?'

Re:Economics

[Stradivarius]

Security isn't just the responsibility of a "security team". Security is something you have to build in throughout the software. Which means docking pay from the security folks will probably just mean less security folks at your company, which means less oversight of the code, which means even less secure software than you've got now.

For the above policy to even have a chance at working, you'd have to apply it to every developer. And suppose you did that - now you've created an incentive for the developers themselves not to disclose vulnerabilities internally, which seems rather backwards.

If you wanted to go down the road of financial impact per vulnerability, you'd probably be better off establishing a "bonus pool" for every (smallish) team. If your team's code can take a beating from penetration testers and the public at large, the team gets the bonus based on how well they did. Now you've got peer pressure and competitive spirit working in your favor. And the bonus just has to be large enough to feel significant - but even a decent bonus is probably next to nothing compared to the developer's base salary.

Re:Economics

[syousef]

What might be more interesting is to dock 10,000k from the salaries of the security team everytime someone finds a serious exploit. Sometimes punishments are far more effective than rewards.

You sir are a total moron. You've also just demonstrated the very worst spirit in an employer-employee relationship. I hope you're not a manager and I hope you never are one.

First of all it's not always possible to fix every serious flaw immediately.

Secondly security is always a tradeoff with ease of use of a system. Sometimes the security team doesn't have final say.

You'd be constantly docking the security team's pay for things they can't control and they'd come to resent the company. Suddenly the people who know the most about the security of your company resent it. Get it? That has got to be the dumbest thing I've heard in quite some time.

As someone else pointed out you'd quickly find you don't have a security team or at least you won't find one worth having. Taking away someone's ability to feed their family or provide them with an education or medical care is not the way to get work done.

outsourced testing

[ecklesweb]

Almost sounds like an argument to outsource testing to the general public and pay them for it. Not sure why MS would do this when they've been outsourcing testing to the general public for years and charging licensing fees for it!

Cynicism aside, do you think that it really makes business sense for MS to pay for vulnerabilities? Has their revenue really been hurt that badly from their current security practices?

Re:outsourced testing

[mr_mischief]

I'm not sure it's cynicism when it's so obviously true. In Microsoft's defense, it's very difficult to properly test everything for stability and performance against all the third-party hardware and software out there.

It's not that difficult, though, to check for buffer overruns, array bounds violations, and stack overflows these days. It's also not that difficult to use proper security protocols as opposed to crap like PPTP, for that matter.

I think Microsoft's public image has been hurt pretty badly by the likes of Nimda, Blaster, Melissa, and similar widespread attacks. Macs, Solaris, and Linux machines have strong arguments for them, but part of what market share they get would default to Microsoft if people hadn't had such poor experiences with Windows and Office. Heck, I'm a Linux guy, but I'm writing this from an XP box because for some things I still need Windows.

If Microsoft and their Windows team did more than pay lip service to POSIX, security in depth, minimal daemon/services profiles, a powerful command line, standard networking instead of their proprietary stuff, and proactive security audits then lots of people who run Linux, BSD, Solaris, and OS X would never use anything but Windows. Some of us still would, but if Windows had enough POSIX support to run everything written for Unix, had the security of a decent Linux distro, only enabled what services you actually need running, and had a record of fewer actual vulnerabilities (and not just a comparison that their core OS has fewer "critical" bugs than all of the software that ships with RHEL, when RedHat is more likely to call something "critical" anyway), then why would people bother? OS X would be just for video, audio, and graphics people. Solaris, AIX, and other commercial Unixes would be real niche players. Linux and the BSDs would be mainly curiosities for tinkerers, just as MS tries to portray them, and would have only small installations in the business world. There'd still be a place for all of these, but they'd have a much harder time of it if Windows was real quality work in these areas.

In short, the embrace and extend tactics, the FUD MS spreads, and the NIH syndrome are finally catching up to Microsoft. So yes, I'd say that although they're not hurting much, what little pain they're having is in large part caused by their security practices.

Yeah this

[Dunbal]

Makes much more sense than actually writing secure software in the first place, doesn't it?

This is a silly idea. It assumes that if Microsoft pays someone to keep quiet about a security vulnerability, no one, ever, will independently discover this SAME vulnerability. Human nature dictates that when you hand out money, you will quickly have people waiting in line.

Reminds me of the romans paying the barbarians NOT to invade them. Sure, give your enemy an income and make him rich. Makes a LOT of sense...

Re:Yeah this

[khallow]

Sounds more analogous to bribing some barbarians to tell you what the tribe is thinking of doing. Then you can patch up your defenses and anticipate the sometimes enemy.

Re:Yeah this

[physicsboy500]

The point of Microsoft bidding on a vulnerability is not to put a hush on it, but instead to do something about it.

The black market bidding wars currently exist because hackers want to get their hands on an unknown vulnerability they can exploit for a decent amount of time before it's discovered and patched, thus if Microsoft knows about it the value goes way down on the exploit because the time to patch is going to be vastly reduced. Microsoft won't (in theory) just sit on these bits of info (if they would like to remain in any way competitive), but instead use the info to produce a patch.

Re:Yeah this

[vfrex]

What does it matter if the same vulnerability is discovered? Microsoft would buy the knowledge of the exploit, patch it, and it would no longer be an issue.

Re:Yeah this

[knewter]

It assumes that if Microsoft pays someone to keep quiet about a security vulnerability, no one, ever, will independently discover this SAME vulnerability. Don't be retarded. It doesn't mean that. It means that a lot of times the ethical researchers will stay quiet, the group of people looking at bugs might increase (and would only get denser in the 'ethical' category). It means that MS will get first dibs on exploits rather than try to start thinking about a patch AFTER Code Red. It means an awful lot of good stuff. It's a good idea, for all of the thoughtful reasons mentioned in the article.

Don't do his logic the disservice of being viewed on the same page with your ignorance. The argument isn't that you buy the knowledge and don't fix the bug. The argument is you buy the overflow and patch it before someone else discovers it. And you make sure you get the info first by paying for it, less than the black market but on a legitimate market. It kills the black market AND makes the software more secure.

I honestly think something like this could legitimately make a proprietary OS more 'secure' than a free one. The market's an incredible thing.

Re:Yeah this

[Dunbal]

The point of Microsoft bidding on a vulnerability is not to put a hush on it, but instead to do something about it.

They're not doing anything about it NOW. Why do you think that suddenly they want to pay, and hurry to fix it? And I am sure they know about most of their vulnerabilities.

Re:Yeah this

Makes much more sense than actually writing secure software in the first place, doesn't it?

Your ignorance deceives you. Name one piece of software that can be guaranteed free of security issues - a product that has no dependencies on anything else, where the dependency could cause a vulnerability.

"Hello world" doesn't cut it - even that depends upon the C library and the OS.

Re:Yeah this

[Deliveranc3]

I think they pay so they can LEARN about the vulnerability and patch it, the fact that Microsoft isn't paying for these vulnerabilities is that they're maintaining the stance that they don't want to deal with criminals (how ironic from Microsoft) rather than actually admitting they can't fix all the bugs in their POS software in a timely fashion.

The most interesting thing about this is that these vulnerabilites are already available in the wild. Hackers only need 1 or 2 -- of however many are openly available for whatever piece of software, or OS -- you're trying to access to be successful. The fact that they haven't patched the already widely known security flaws leads me to believe they have doubts that they'll be able to patch these relatively unknown hacks.

This is not Sneakers where "There isn't a government in the world that wouldn't kill for this thing," everyone who wants to can already find vulnerabilities and exploit them.

If Microsoft did buy them they'd be admitting they need to keep them hidden, and admit their software is totally insecure (Which it is.)

Burn them at the stake

[Joebert]

We could always burn black-hat hackers at the stake, like we used to do with witches.

There's a perfrctly simple explanation

[$RANDOMLUSER]

So the question facing Microsoft when they choose whether to make that offer, is: Would they rather have the $1,000, or the exploit? What responsible company could possibly choose "the $1,000"?

The short answer is that Microsoft just doesn't give a damn. They fix security holes when forced to. If they were a grocer, you'd have to prove to them that you have shit before they'd sell you toilet paper.

Re:There's a perfrctly simple explanation

[Cro+Magnon]

If they were a grocer, you'd have to prove to them that you have shit before they'd sell you toilet paper.

I'm running Windows! What more proof do you need?!

Re:There's a perfrctly simple explanation

[Ant+P.]

More likely if they were a grocer, you'd have to prove you have shit before they stop trying to charge you for its weight in fresh vegetables.

Black Hats versus White Hats

[skitheboat]

We need the Mad Magazine Spys to weigh in on this matter ... or paint a house rather than the endless argument of what exactly is responsible disclosure.

Lengthy.

[Funkcikle]

Click that magical little read more link below to continue the thought.

At 11508 bytes, I am afraid my interest buffer would be overrun.

Hostage negotiations

[DirtySouthAfrican]

I dunno, this sounds a bit like the argument over whether or not one should negotiate with hostages or terrorists... Once the black hats figure out that their exploits are being "rescued", two things will happen: * Prices ("demands") will go up; these companies have deep pockets / lots of resources after all... want a chopper and $2 million? * The exploits will be re-sold... some exploits can't be patched immediately, and even if it can, millions of machines will remain unpatched over their lifetime. So if you can make ten grand from randsom, you can pick up some extra cash on the side by pimping out your victim. Maybe I'm taking the analogy too far.

Re:Hostage negotiations

[Culture20]

Ransoming information isn't the cash cow you think it is. The black hats have more incentive to _not_ let the originating company know there is an exploit. What is needed is a way to make the good guys want to find the exploits first and do something about it.

Re:Hostage negotiations

[Endo13]

You're kind of touching on my one issue I still had after reading through the whole thing. (He answered the rest by the end.) That being, he keeps making the assumption that the black market exists only because MS isn't buying up the security exploits found. Not so. The black market for such exploits will exist as long as they can be used for any malicious purpose whatsoever (not necessarily even just ones that are profitable). If MS were to offer a cash prize for turning in exploits discovered it would likely reduce the number sold on the black market, but it would certainly not eliminate that market. Even if MS were to offer extreme amounts of cash (say perhaps $100M US) there would still be a small number of exploits that would be used for malicious purposes before MS was notified of them. So in reality, the higher the cash prize MS were to offer, the lower the percentage of exploits released in the wild - but that percentage curve is currently unknown to anyone, so MS can't know for sure if it would be more profitable to offer cash prizes or not. Thus far it looks like they've rolled the dice and chosen not to offer that prize, and given their current monopoly status it would appear that decision has not adversely affected their market-share.

Re:Hostage negotiations

[Experiment+626]

this sounds a bit like the argument over whether or not one should negotiate with hostages or terrorists

I disagree. The problem with rewarding terrorists and hostage-takers is that it creates financial incentive to perform these actions in the future. A more appropriate analogy would be if I offered to pay $20 for every typo someone finds in my manuscript. Planting typos to make more money isn't really an option since readers have only read access to the document, and finding the problems that I already put in there is a good thing (I'm made aware of the flaws and can fix them), so encouraging that is fine.

You also mention demands going up. This happens because people want to maximize their profits. But the most profitable course of action for an exploit-finder is to sell it to both the vendor and black market simultaneously, double-dipping. This, however makes the exploit less useful to the black market, as the clock is already ticking for a patch being developed. If the vendor is quick about this, black market prices would fall, as the exploits being bought have a much narrower window of usefulness.

Re:Hostage negotiations

[DirtySouthAfrican]

Good point, but regarding double dipping, a lot of zombie machines out there were infected due to exploits for which patches already existed... they just never got patched.

Who cares how many times they sell it?

[vortex2.71]

Who cares how many times they sell it? The point is that Microsoft can buy it and then fix it, thus elliminating the market value of the exploit. If someone can sell it to other people then good for them. Its still in Microsoft's best interest to buy it as early as possible and fix it as early as possible.

Re:Who cares how many times they sell it?

[jkrise]

But what if the original seller leaks it to someone else before a fix, and this new bloke tries to sell the same hack independently to Microsoft? Unless MS is telling others of what vulnerabilities and hacks they have already bought - which is unlikely if not impossible - this scheme will not work.

In fact it could make things much worse - people will now have direct financial incentive to cause havoc by exploiting unfixed vulnerabilities.

Re:Who cares how many times they sell it?

[Monchanger]

> The point is that Microsoft can buy it and then fix it, thus elliminating the market value of the exploit.
Even after Microsoft "fixes" a security hole, the security problem isn't gone. It's only removed from patched computers. I don't recall what kind of numbers are involved, but there's still plenty of value in an "old" exploit, especially for thugs targeting home users' computers.

> Its still in Microsoft's best interest to buy it as early as possible and fix it as early as possible.
If it is so clearly in their interest, as your proof-less assertion claims, why don't they? Why haven't they spent some of the widely press-released security efforts for Vista in creating an exploit bounty program? Why don't they blow Linux away every time we see a new stupid apples-to-oranges comparison of which is the more secure? Or are you suggesting that the endless resources of Microsoft, enjoyed by corrupt researchers and politicians, can't find their way into the black market?

Re:Who cares how many times they sell it?

[modecx]

This all assumes that Microsoft gives a flying fuck. They clearly do not--or they do not have the resources to fix their holes in a timely manner. How many vulnerabilities have they actively known about that went unpatched for months on end? I can think of a few, and those are the ones that made it public.

Furthermore, if MS were to do this, it would validate the exploit market more than it would help create bug free Windows. That's like, if President Lincoln said "we've got all the money in the world so we're going to free the slaves by buying them all up from the slavers, and then we're gonna bring 'em up north and let 'em go", the problem is that such an action creates demand. The prices would go up, and the slavers would start enslaving more people from Africa to fill the hole in the market. In the end, all you do is create a feedback loop of stupidity.

Re:Who cares how many times they sell it?

[Ambidisastrous]

I'm not going to try to continue with that analogy, but the theoretical goal here is to eventually discover and fix every bug in a program -- not just reduce the number of bugs being found. For a contrast, see qmail or any of the many other programs whose creators offer a bounty for any exploits found. Security bugs in popular products are worth much more than most bounties, though, and Microsoft in particular doesn't seem to offer any bounties at all.

Your analogy would be relevant if there were an effectively unlimited number of bugs in the software in question, and the goal was not to find the bugs and fix them, but to avoid ever learning about the bugs at all. So, by failing to pay up for security exploits, Microsoft is essentially stating that:
(1) There is an inexhaustible supply of security holes in their software.
(2) They're only concerned about addressing vulnerabilities that have already been publicized, not exploits that are quietly making the rounds on the black market.

For Internet Explorer, both of these are obviously true. IE has to withstand all the evils of the Internet, and the product doesn't even make money for Microsoft -- security is hard, and the thing had to be hacked together quickly enough to squash Netscape, ergo it's infinitely bug-ridden; and making IE safer won't make it any more profitable that $0/year, so the best tactic for the company is to spend just enough resources on it to avoid embarrassment, and no more.

For any product that has to stand on its own, that feedback loop is a good thing, putting steadily more hacker pressure on a product as it gains popularity, eventually leading to a "tried-and-true" program with a solid track record. Clearly Microsoft has enough productive developers on staff -- evidenced by the insane number of developer tools and new application frameworks they churn out every year -- but security in mainstream products like IE is not part of the business plan, and they clearly have an additional mental block at the management level that prevents them from shifting resources away from "fire and motion" and towards security, except in the very most critical products.

Re:Who cares how many times they sell it?

[binford2k]

But what if the original seller leaks it to someone else before a fix, and this new bloke tries to sell the same hack independently to Microsoft? That's retarded. Follow these steps:

1. Microsoft promises Alice $1,000 for a vuln
2. Alice sells it to Bob for another $1,000
3. Bob hawks it to Microsoft
4. Microsoft then halves Alices payout
5. Bob ends up paying $1,000 for a $500 payout and Alice makes $1,500

Why would anyone buy a vuln to resell it?

Or perhaps you meant that Alice accidentally leaked it to Bob. WHOOPS! Now it's worth half as much. Maybe she'll take better care next time, eh?

Smart about security?

[sleekware]

Microsoft? Do something smart about security flaws? Impossible! ;-)

The answer is...

[laing]

Microsoft is not interested in fixing the problems with their operating systems. They need a certain number of bugs and annoyances present in the OS so the consumer will be unsatisfied and will rush to purchase the next "upgraded" OS. This business model has been hugely successful for them and it will continue to be until people wise up. Microsoft are capitalizing on human nature. Most people believe that "newer is better" but it is not always true.

--
Place creative sig here

Re:The answer is...

[Citius]

Well, that may be true to some extent, but why, then, would people running OS 9 ever upgrade to OS X? Human nature will want something newer regardless of whether it's actually improved (in stability) over the old; as long as the core hasn't *decreased* in effectiveness, I'm pretty sure that it'll appeal to most people. After all, most people also are very easily-led sheep. It's the odd one in the bunch that questions the system...that means you, /.ers.

Re:The answer is...

[CockMonster]

Does your job involve adding to and maintaining an OS? Mine does, your post is utter bollocks

Re:The answer is...

[CastrTroy]

Which is the mistake they made with XP. There's a lot of people who don't want to upgrade to Vista because XP is good enough, and Vista doesn't offer any positive features that make it worth the cost of upgrading. I think we'd be in a lot better position if MS had taken the money they spent on Vista, and spent it on fixing the remaining bugs in XP, as well as adding a couple things like DX10 for XP, which are only available with Vista.

Re:The answer is...

[laing]

Gates is on record as saying they don't fix bugs at M$. He said their main focus is on new features. I'm not going to bother looking for the quote. Google it yourself and learn about your master.

Deserve to get paid

[michaelmalak]

But if you prevent millions of Internet Explorer users from being infected with spyware, you deserve to at least get paid what Bill Gates earns in the time it took you to read this sentence.

I deserve to get paid for reading that rambling story that contained no useful information past the summary.

Bad Idea?

[vortex2.71]

Finding a security hole isn't necesarily a "bad thing". Its just information, which can be used by the company to fix the vulnerability or by unsavory people to exploit the software.

Read more?

[yanos]

Click that magical little read more link below to continue the thought.

No no no no. That's sooo web 1.0. Now we say after the jump! You're so out of touch with the current trends of the blogosphere!

Re:Read more?

You're missing the point!

Click that magical little read more link below to continue the thought. is such a beautifully formed sentence!

There aren't even MS exploits listed on the site.

[dami99]

This is stupid really.

- Selling exploits like this is only going to encourage crime -- anyone who thinks a big vendor like MS is going to buy exploits this way is fooling themselves.

- All of the exploits currently listed for auction are for "free" software. Who (except a very unlikely angel corporation) is going to pay for these exploits, except criminals?

(Note that I have no problem with vendors paying for this stuff, but this auction method exists to make money by selling exploits to criminals. Call it what it is.)

Wow... Brilliant!

[Dan_Bercell]

Another post by someone who only read the title!

Re:Wow... Brilliant!

[Gothmolly]

You must be new here.

Finding an exploit is not a "bad thing"

[benhocking]

Using an exploit maliciously is, but finding the exploit is not a bad thing. In fact, it's a good thing. Hence, it should be rewarded.

Re:Finding an exploit is not a "bad thing"

[hauntingthunder]

well finding the exploit is not always a bad thing

Trouble is if thers a cash incentive bad people will get involved its just human nature why else are there spammers and other such skum.

Re:Finding an exploit is not a "bad thing"

[Culture20]

There's already a _greater_ cash incentive for the scum, and they're already finding exploits. What is needed is a lesser, legal cash incentive for the good guys, so that the good guys find them first.

"Bill Gates Should Buy Your Buffer Overruns"

That's the dumbest fucking idea I've ever heard since I've been at Microsoft.

640 buffer overruns ought to be enough for anybody! --Bill Gates

In Soviet Redmond, Bill Gates buys buffer overruns from YOU!

Thank you, thank you, folks! I'll be here all week. Try the veal!

(heh: my CAPTCHA was micros - no joke)

Good idea but

[sheriff_p]

I think this is a good idea, but it's unlikely to happen - by buying such a thing, Microsoft sets themselves up in a position of liability - something that software vendors have so far largely managed to avoid.

Say they buy one exploit, but not another, and some company gets caught by the other. Microsoft have put themselves in a pretty nasty legal liability position there.

Additionally, it'll look a lot like endorsement of black-hat practices, something MS will want to avoid... ...

Re:Good idea but

[TimothyDavis]

How many of the wild exploits actually used vulnerabilities that Microsoft didn't already know about?

Viruses like ms-blaster etc were built off of reverse engineering the patch, and writing the virus to exploit unpatched machines.

I think the major problem that Microsoft has faced is how to patch the world as quickly as possible on a patch Tuesday - especially since most home users don't have an IT guy to do it for them. The constant patch nagging put into XP.SP2 has dramatically increased the patch uptake by non-IT supported users.

The Cheapest and Best Solution is...

[asphaltjesus]

Shout from the highest roof top in every city that black hats should be hanged. It won't be long before there's a mob ready to hang black hats. Better still, Microsoft comes out looking like the good guy.

Microsoft has employed this strategy for at least a decade now.

This story is preposterous.

That was already addressed

[benhocking]

There are a lot of intelligent people who would be willing to do it legally for far cheaper prices than the black market will pay to do it illegally. Not everyone is immoral. Personally, I'd like to believe that most people are basically good people.

Re:That was already addressed

That is adorable.

Re:That was already addressed

[skiflyer]

And those're just the ones who are going to actively pursue this.

There's the other side... those who find a problem, and just don't do anything about it. Why should I go to the MS website and hunt for an hour for a link if I find an exploit? I could just forget it and move on with my life and do work which actually generates a paycheck.

Re:That was already addressed

[Peacenik45]

Immorality has nothing to do with it. I don't think there's anyone out there who willingly would do something wrong or 'evil'.

It's just that when you're faced with the opportunity to sell something you worked hard on (or chanced upon) for a lot of money, you probably will want to get as much of a return on your work as possible. You don't want to be the shmuck who turned down $1000 because he was worried about the exploit ending up in the wrong hands. You'd try to justify it. You'd think 'Oh, Microsoft would find out about this eventually' or (as somebody else commented) 'Microsoft probably wouldn't patch this immediately anyways'.

A guilty conscious wouldn't keep you awake. You'd just realize that there's a lot of shit going on in the world and your one little exploit won't even be noticed.

Then the next day you'd go out and buy a nice home theatre system with all the money you made.

That's just human nature.

Re:That was already addressed

[AusIV]

There are a lot of intelligent people who would be willing to do it legally for far cheaper prices than the black market will pay to do it illegally.

Reminds me of the piracy debate. I've long said that part of the problem with piracy is that the pirates offer better (less restrictive) products than the original media producers, and that the media producers might see a boost in sales if they started selling unrestricted products more equivalent to what you can get from a pirate. Personally, I prefer to get my media DRM free, but I've been known to circumvent DRM for private use.

Of course, some pirates are just looking for a free lunch, but I suspect some would rather buy their media legitimately if they could do so without the inane restrictions.

Re:That was already addressed

[trjonescp]

-- Ben Hocking Need a professional organizer? [timespaceorg.com]

Do you recommend to your clients that they spend time on /.?

I'd say their revenue has been hurt enough

[benhocking]

The key question is, IMO, has their revenue been hurt more than it would cost to pay for vulnerabilities? I'd say it has. Sure, you could argue that the revenue loss is not a large percentage of their total revenue, but presumably paying for the vulnerabilities would cost even less.

Basically, legitimacy

[Flying+pig]

It makes far more sense to be a legal, well rewarded security researcher with a useful CV than a criminal. Nothing gives a person ethics like being well paid for it.

Re:Basically, legitimacy

[Valdrax]

Nothing gives a person ethics like being well paid for it.

Yes, because that has held to be so true in the arena of smokable drugs.

Hrmm...Bounty Hunters...

[Citius]

So, will we get massive Clone armies for hunting down rebel security holes? Boba Fett to the rescue!

Re:Hrmm...Bounty Hunters...

[BlackSnake112]

Doesn't Boba Fett look exactly like each person in the clone army?

Fix the problem...

[Deadstick]

...where it begins. Microsoft's security analysts have access to the source code. If they can't find exploits before outsiders find them by reverse engineering, you have prima facie evidence that M$ is (a) not hiring very talented analysts, or (b) not motivating the ones it has.

I've worked for a (non-IT) company where if you invented something that saved the company a million dollars, you'd get a coupon good for a clock radio or a DustBuster. Billion dollars, maybe some luggage...and you were bloody well expected to be grateful. For some reason, we didn't invent much. Meanwhile, the company was spending millions on the endless parade of corporate self-help scams (Zero Defects, TQM, ISO9000, ad nauseam) that produced less than they cost.

At a minimum, an analyst who documents an exploit should get some kind of bonus based on an estimate of the damage it would have caused in the wild. Further, I think they should be working in an adversary relationship with the developers...your typical coder should look on them about the way a detective looks on Internal Affairs.

rj

Re:Fix the problem...

i really do not know why you got modded down. It's almost like Microsoft doesn't want to hassle with fixing there own product, and only does so when there might be heavy liability involved. It's almost like they want to pass as much of the problem onto antivirus companies as they can.

Poor Assumption

[PPH]

This assumes that the 'best' exploits make it to some sort of market. In my experience, the best ones are written as works for hire by organizations intent on committing political, industrial or financial espionage. They tend not to be widely distributed and don't produce easily detectable fingerprints in the form of network traffic, strange PC behavior, system crashes, etc. Many have yet to be discovered.

The prices that these sorts of exploits command would make a significant hole in Microsoft's finances.

What's the big deal?

[Thyamine]

I guess I'm confused as to why this is different than the government/police offering up rewards for criminals and fugitives? Sure it would be nice if Microsoft could solve all of this beforehand with some well written code, but I can understand how things get through considering the size of their code base and the numbers of people trying to collaborate.

If we don't have a problem with paying to get criminals off the street, why should we care if someone is getting paid for an exploit. If all these 'gangs' of spammers/exploit writers really are trying to one-up each other, why not turn in competitors' exploits to make them less virile and screw them over.

Re:What's the big deal?

ITs different because this is not offering a reward. This more equates to someone knowing incriminating evidience against someone then allowing both the bad guys and good guys too bid for who will offer the highest reward.

this is an incredibly stupid idea and personally I hope it gets shot down, I doubt any legitimate vendor would be dumb enough to go in the bidding.

How about considering what happens when they start posting the shit loads of linux vulnerabilities this way, after all with open source code it is much easier to research and create salable offerings, Who is going to find the money first, the good guys or bad guys.

No incentive, and some argument against...

[Bob-taro]

What's the incentive? Yes, people bash MS, and complain about all the bugs and exploits, but I don't think it's hurting their bottom line, so they've got no reason to change. I think it would be great and logical to have some kind of discretionary monetary reward system for reported vulnerabilities (just like you might reward someone who returned a lost wallet or something), but I'm a regular person. A high-level manager might see several problems with this:

• Once you pay for the vulnerability, you've basically admitted it's there and that you didn't already know about it, and you might not want to do this.
• Your testing staff might try to game the system.
• You open the door to all kinds of bad publicity: people mad that their exploit didn't pay, or didn't pay as much as another, or was ignored (when it was really unfounded)

Some of this might have been addressed in TFA or even the summary (I didn't read the whole thing - sorry!). My point is just there are some negatives, and for a PHB they probably outweigh the positives (especially when measured in $)

Anti-terrorism...?

[Bat_Masterson]

I wonder if this strategy could be used as a means to averting terrorism?

That is, don't just offer large amounts of money for the most important terrorists (like bin Laden), but also offer varying amounts of money for reports that stop terrorism.

Re:Anti-terrorism...?

[disasm]

Great idea...

Yes, is this the US government? Yes, I got word that Bat_Masterson is planning to blow up the whitehouse. I think you should go arrest him and give me $5000 for reporting this incident before he could wreak havoc. What he's an upstanding citizen? No that's just a front he's pulling he really is a terrorist and needs to be dealt with. Okay, I'll get the check in the mail next week, sounds good to me. Glad to do my part in averting terrorism.

Sorry Bat, I know you weren't planning that, but I really need the $5000...

Sam

Re:Anti-terrorism...?

[blueskies]

You somehow "accidently" missed a key phrase...

for reports that stop terrorism.

Re:Anti-terrorism...?

That happened in Afghanistan. The US government ended up "detaining" people whose neighbour had a grudge against them.

Wouldn't work.

[Spy+der+Mann]

OK, give us your info, and we'll pay you if we consider it's genuine.
(2 days later) Guess what, it's not a true exploit. Sorry, no pay.
(1 week later, at Windows update) We've fixed a patch for a recently discovered vulnerability!

Re:Wouldn't work.

(2 weeks later, at news.com) Internet paralyzed by the new Should_Have_Paid_Us worm, developed by a group of highly intelligent, highly motivated security workers! "It would have been cheaper to pay them in the first place!" laments MS spokesman. "What have we unleashed!"

I don't know why the majority of slashdot seem to be disparaging this idea as it sounds fantastic to me from any angle I can look at it.

"But they could re-sell the exploit to hackers after they sold it to Microsoft!!!!" And so ... MS know about the exploit and patch it, and these hackers start to wonder why every exploit they get from Mr. seem to get patched within a few days... What's the problem here?

"Microsoft don't care anyway" Well why do they release security updates at all then. They care halfway? I'm sure Microsoft can issue an amount of money that is an incentive to researchers, yet costs them substantially less than paying their own dedicated researchers to search for exploits full-time.

"Microsoft could refuse to pay and then patch the exploit anyway!" Word of this would get around very fast on the internet, and if this endeavour is partly designed to enhance the reputation of the company, methinks this would not be a very efficient way to go about it. As before, I'm sure the amount MS gain from learning about exploits before they become major problems can outweigh the prize money on offer.

As an internet user, primarily using MS products and concerned about security and stability, I really wish they'd implement this suggestion. I didn't think that much of Slashdot had gone to Linux yet that ideas that would increase the stability and security of Windows were viewed as BAD things.

Re:Wouldn't work.

[Sapphon]

(1 week later still) Hey, I found another exploit! Should I report it? You know what.. let's exploit that sucker.

You're supposing that large companies are naive enough to value the short-term gain of saving on one payout over the long-term gain of having freelance bug-finders out there. Is that realistic?

(remember, this article is about ALL large software companies, even if only one of them has been used as a stand-in)

Solving the drug problem by subsidizing dealers

[BeProf]

Rewarding unethical behavior?

What could *possibly* go wrong?

Re:Solving the drug problem by subsidizing dealers

I agree.

I think that Microsoft is evil --- but that doesn't justify blackmail!

"I know how to pick the lock on your house. Give me $10,000 and I'll tell you how to stop me. Otherwise I'll tell a thieving, murdering rapist how to do it. So do the ethical thing and give me the money --- I'll just tuck it into my white hat here."

A very simple fool-proof solution

[jkrise]

Would be for Microsoft to simply open source the entire Windows kernel and everything else. Winning the security race is an impossible task these days - it means buying positive press, paying for scumbag hackers who have no scruples etc. etc. It's clear over the past decade that it is impossible to add security as an after-thought to a shoddy security model.

If MS releases everything else except a few secrets and binary drivers, these security researchers will find their entire industry crumbling down instantly, and users will have a genuinely secure experience - since they will now be able to examine exactly what hackers and trojans are up to.

Of course, Microsoft's own Live One Care and tech support will suddenly be over-staffed, but that would be a pleasant problem, wouldn't it?

Re:A very simple fool-proof solution

[Fizzl]

That's cute...

They're not interested

[Archie+Gremlin]

In my experience, MS aren't interested in reports of security holes anyway.

I found a security hole in an MS product about 6 months ago so I sent a full description with working test code to secure@microsoft.com.

I got an automated response (so far so good) but then I heard nothing more. After a month, I sent them another email to ask if they were doing something. Silence. Another month later I rang Microsoft support and asked them to give me an update. They told me that the case number doesn't exist and that they don't have a department called the "Microsoft Security Response Center".

Eventually I found an engineer who does support for the product with the security hole. He said he'd heard a _rumour_ about the MSRC and offered to track them down. Eventually, I got an email update from them saying "we might get round to fixing it in a few months."

In short, if they're not interested in free security reports, why would they pay for them?

Re:They're not interested

[tqbf]

I'm not sure why people are modding up a post that claims that the MSRC is a "rumor" inside of Microsoft. The MSRC is famous; news stories are written when people move to and from the group. They release all the Microsoft advisories, each of which typically elicit yet another news story. A position in the MSRC was listed as "one of the worst jobs in science" in SciAm (obviously wrong; people compete to get jobs there).

Why don't you tell us more about the security flaw you claim to have found?

Designed exploits

[Shotgun]

What about the exploits that aren't accidents, but are actually designed in, ie (har-har) Active-X controls that allow anyone to execute arbitrary, unrestrained code on every system that visits a website. Paying for someone to report these obvious exploits would amount to paying someone to call you an idiot.

The author's problem is that he thinks Microsoft should be concerned about delivering a good product. Everyone privy to how corporations work knows that the goal is only to deliver a product that the customer will pay for.

Sig

[Darlantan]

While I like your sig (though I don't recognize it as a reference), what the hell is a Zu-30? The closest I can come up with would be the Tunguska AA system being incorrectly referred to as the ZSU-30-6.

You might consider revising it to ZSU-23 (actually, ZSU-23-4 would be more accurate -- that's the old Shilka, but they're still used IIRC) or 2S6 (Tunguska).

Failing that, could you at least tell me where the line is from?

Re:Sig

[hauntingthunder]

I belive the ZSU-30 was the follow on from the ZSU-23 not sure if it eaver went into production - origionaly I had it as a DShK (a WP HMG) is good for low flying cherubim.

I think the idea for the sig came from watching a Muppets eppisode a long time ago

Microsoft Already Does Pay For Your Overflows

[tqbf]

No technology company in the world spends more money on security testing than Microsoft does. At any one time, it's likely that Microsoft retains a plurality of the security testing industry to perform code review and black-box testing on the myriad of products they are releasing this cycle. These aren't Microsoft employees; these are team members of the boutique security consultancies being paid directly by Microsoft to find vulnerabilities in products before they ship.

Microsoft is already paying for vulnerabilities. Investigate and you may find that just as Google singlehandledly jacked up the comp for every web-savvy C/C++/Java dev in the valley, Microsoft has amped up the bill rates for security consultants worldwide. Entire consulting outfits are built around pipelines of Microsoft work; some of the best and most famous researchers in the world work for these outfits.

Seven years ago, it was probably valid to single out Microsoft for carelessness about software security. But, just like this essay implies, software security is a problem that money can impact. Microsoft has lots of money. Since Windows XP, they have certainly put it where their mouth is.

There are differences between "true independent security research" and contract work for vendors. They're not clear-cut enough to make a value judgement. Researchers on contract to Microsoft get access to source code, developer documentation, test tools and the dev team. They also find problems before customers are exposed to them. On the other hand, indie researchers don't have to pass phone screens, know how to sell, or have the right contacts. Both groups find stuff.

It's worth noting that the overwhelming majority of external Microsoft findings in 2007 come from vendor-sponsored "research labs", usually attached to IPS signature farms (like the ISS "X-Force"). These groups strain the definition of "indie", are already well-compensated, and will continue to harvest findings whether or not an incentive scheme is created.

In any case, "WabiSabiLabs" is unlikely to have any impact here. Every major product Microsoft releases has been audited by a competant third-party. Microsoft has re-vamped their coding standards, deprecated old C/C++ idioms, introduced new ones, developed internal tools, adopted static analysis, and instituted a culture of security design reviews that starts before the first line of code is even written. As a result, a major "indie" Microsoft finding is a big deal. You'd be naive to put it on some fly-by-night auction site; a Microsoft remote code execution finding is already liquid in the grey market today.

it could work.

[ArcadeX]

Several arguements where covered, and comments are just rehashing them. Yes, you will have people that sell to both sides, yes prices may get driven up, but it's also going to drive up the number of honest people out there. For every exploit sold to both sides, how many will be discovered by honest people that otherwise wouldn't have invested the time without any returns. So what if an exploit is sold to both sides, better M$ be working on a patch while the blackhats are still making / destributing the explotation system vs. M$ being completely behind and the exploit in place before the patch comes. M$ could even go for something that doesn't really cost them as much, like instead of cash, copies of software. Blackhats aren't going to worry about something they would steal anyway, but many whitehats could put an MSDN subscription to use. It's almost like the old MAFFIA arguement... does it really cost M$ anything if they wouldn't have bought the software anyway, which only leaves them out the cost of the media.

what??

[phantomfive]

Does he realize that he is talking to people who write software and operating systems in their spare time and give it away for FREE?? And he is trying to justify his greed to people who would mostly do what he wants for free as well? And he tries to manipulate us into thinking it's ok by using Microsoft as an example.

If he wants to try to make money off of exploits and the like, then let him go take it up with the vendors. There is no reason to try to appease his conscience by preaching here that we should agree with him. If you think it is a good idea dude, do it! Don't be bothering us about it or worrying what the rest of the world thinks of you.
--
Looking for a C/C++ job in Silicon Valley?

Same class of problems over and over again

[raddan]

As many people have pointed out, Microsoft's problem is that they don't seem to take the "big picture" approach to bug fixing often enough. I mean, how often have we known that buffer overflows are a problem? Microsoft itself even has a page on safe string handling functions to replace strcpy and its ilk. Switching to these functions is trivial.

Microsoft has harder problems facing it-- buffer overflows are only one class of problem. But it seems that Microsoft's highly compartmentalized development process prevents someone from saying, "You know what? We keep seeing the same kinds of bugs. We need to require that all our developers do X." Until someone at MS does this, we're going to see this patching go on indefinitely.

Bad Idea

There is one word that describes this sort of thing: Blackmail. 'nuff said

The prize you can never win.

[db32]

Step 1. Discover Exploit
Step 2. Submit Exploit to MS for prize
Step 3. MS rejects exploit saying they already were aware of that, thank you, try again.
Step 4. MS patches previously unknown vulnerability using free 0 day information.
Step 5. MS gets great PR for stepping up their security program and fixing tons of stuff.

You MIGHT get some of the big players to go ahead and play along and pay. But given the behaviors of most of the companies involved in the major security issues...good luck getting paid.

There already is a cash incentive

[benhocking]

There already is a cash incentive and bad people are already involved. The idea is to provide a cash incentive for (more) good people to get involved in a positive way.

It's target based performance metrics at work

There's only one reason why everything in the modern world is turning to shit.

With arbitrary performance metrics set by clueless assholes in management, it's easier to meet goals by fiddling figures and ignoring problems. So not only are the Microsoft security response team ignoring reports, they're combining patches and silently patching in order to make the stats look good.

Proof that Microsoft still don't "get" security; they see it as a marketing exercise.

Non-Story: WabiSabiLabi

[Frosty+Piss]

People keep submitting stories to Slashdot about WabiSabiLabi, but when you go there, there really isn't anything to see. Is WabiSabiLabi the story, or is the story WabiSabiLabi? Look, six months from now, WabiSabiLabi will be gone for fairly obvious reasons. It was a fair shot at Internet cash, but the Dot Com bubble burst, and people just are not really interested in that kind of business model anymore.

implications of a purchase

[sanimalp]

This idea may seem great on paper, but in order to buy an exploit, a person would have to provide payment, which is the fatal flaw. Now, lets say the feds want to get a quick list of people that may be using exploits for unlawful computer access. subpoena the DB of the exploit auctioneer, and wa-la, a giant list of exploit users. Like shooting fish in a barrel. something tells me this exploit auction system may work ok if companies purchase it, but i dont think underground exploit buyers are going to surface to harvest exploits from this website..

No problem

[session_start]

I've had comcast before, theirs along with several other sites say their site does not work with firefox, etc. however, using firefox and changed what the useragent sends does not break the site... In otherwords, it seems to be a simple check to see if your using IE, and if your not, they will tell you the site wont work, even though it really does (most sites). 1) Use firefox anyways 2) go to about:config 3) add config.about.agentoverride 4) set the string to the browser/os you want comcast to see.

Re:No problem

[session_start]

LMAO, too much coffee, not enough sleep - wrong thread... i think you know where it goes though.

Re:No problem

[rob1980]

At least you didn't accidentally hit the "e-mail inappropriate material to your boss, your boss's boss, and the company president" button. ;)

Microsoft Marketing

[hoy74]

If Microsoft would take on something like this; and their marketing department spun it the right way, it would be much cheaper than paying for Google ads.

Fortress

[Spazmania]

there's one obvious thing [Microsoft] can do to help protect users: offer to buy up the security vulnerabilities themselves.

Sure, because the way to keep folks off your lawn is to erect a fortress and then reward anyone who breaches it with cash.

Re:Fortress

That is an excellent point.

Speaking of which, I happen to make fortresses for a living. They come in little black boxes that are very easy to install, and my marketing department tells me that they're very secure. I would be happy to sell you a few licenses for your home... er, units... yeah, units.

Re:Fortress

[Sapphon]

It's not Microsoft's lawn, it's Joe User's lawn; Microsoft is selling the fortress, and paying for anyone who reports a (literal) back door so they can nail it shut.

Joe User's lawn is better protected, and Microsoft sells more fortresses.

Reporting security flaws to MS is useless.

[Repossessed]

Because Microsoft's security strategy is to pretend that they have less security flaws than the competition. Even when they *do* admit to flaws, they're usually behind on patching them. In fact, the whole thing would be a bad idea for Microsoft as a result. They'd end up with a huge number of known flaws, and still lack the resources to do anything about them.

(I see far too many machine with eyeball identifiable malware despite the fact that the customer is fully patched, anti-virused, and anti-malwared (blacklists suck, they really do) to believe that MS is capable of coming even close to patching all the flaws. Even with the added protection of third party help.

Not to a schmo' and broken idea

Microsoft is much better off contracting with a security company who has some sort of agreement with them. Paying rewards to random schmo's has all sorts of inherent problems associated with it. The only legit way to leverage finding exploits into cash is to find a lot of them, give them to someone (either MS or a aforementioned security firm), play a little politics and get yourself a contracting job to find more exploits for pay.

The economy doesn't work out. To use some exploit a bad guy needs one. To prevent exploits MS needs them all. Say your band of white hats finds 1000 exploits and sells them to the highest bidder. Bad guy bids $1 million on all of them and satisfies his goal for $1 million. To prevent this, Microsoft has to pay 1000 x $1 million = $1 billion. They can't win, the idea is dumb. MS is better off not encouraging more exploits.

Re:Not to a schmo' and broken idea

[mmalove]

"MS is better off not encouraging more exploits."

What, you mean like releasing a secure operating system?
Rubbish!

Ha!

[camperdave]

Because if MS fixed it quickly...

That's a mighty big if.

Re:Ha!

[Com2Kid]

You are right, it sure as hell is.

What if: The bug fix impacts a feature that millions of customers are using?

What if: The bug fix requires the modification of really complex code that touches dozens (or more) of other parts of the system?

What if: The bug fix changes the internal behavior of Windows in a way that shouldn't be a problem, but a particular piece of 3rd party software that millions of customers rely on breaks after the fix is applied?

Quite a few what ifs.

Obligatory

[PPH]

Microsoft Pension Plan:

1) Get a job on the Microsoft Windows team.
2) Build in a bunch of exploits.
3) Retire.
4) Expose the aforementioned bugs.
5) ????
6) Profit!

Morality vs. Reality

[bill_mcgonigle]

If MS offers 10,000 dollars per exploit then thats going to be the minimum bid in the market. Someone will then offer 10,500 and the enterprising hacker will go for the extra cash.

Only if you assume the amoral hacker.

I posit most people are moral, and most people also have to pay the bills. Given the choice between $0+morality and $2500+immorality, most will chose the second, because $0 gets you starved and on the streets. But given the choice between $10K+morality and $10.5K+immorality, most will chose the first option. Neither figures in the risk of jail-time either. I'm sure a dyed-in-the-wool economist could come up with a value to dock from the $10.5K for risk.

Re:Morality vs. Reality

[Laurence0]

I have a slightly more optimistic view of people. I'd edit that to: Given the choice between $0+morality and $2500+immorality, most will chose neither and spend their time elsewhere, because $0 gets you starved and on the streets. But given the choice between $10K+morality and $10.5K+immorality, most will chose to spend the time finding the bug and then go for the first option.

Re:Morality vs. Reality

[bill_mcgonigle]

Given the choice between $0+morality and $2500+immorality, most will chose neither and spend their time elsewhere

Yes, quite so. My intention was to limit the discussion to the set of people who have the compulsion to try to break software all day, and are going to do it no matter what. But I certainly wasn't clear on that (other than the reality that most people don't do this at all).

You point can be expanded though - if the monetary reward were there, other people (perhaps more well-rounded) would also get into the game.

The patch was available prior to Code Red hitting.

Which is the whole point here. The issue that Code Red exploited has been available for a month before it hit critical mass.

But if you did that...

[sokoban]

All your buffer overruns would belong to Gates.

Re:But if you did that...

All your buffer overruns are belong to Gates. There, fixed it for you.

You are right

[nytrokiss]

You are right but look at it this way! People don't blame Msoft for the hack they blame the hackers. It's like someone steals from a house do we blame the robber or the locksmith? It's up to the people now!

Re:You are right

If the locksmith sold me a lock costing as much as a windows license that was trivially easy for an unskilled burglar to open using instructions found on the internet then hell yes I would blame the locksmith as well as the robber.

It won't work

[JimDaGeek]

Sure some people would be "legit" and sell the exploits to companies. Others just want to be "l33t" and get them out there on the inter-tubes. If the monetary incentive were good enough, I think the balance would tip, for a time, to selling the exploits to companies.

However, I think this approach would go down in flames in a matter of months. Why? Well I worked for 3 fortune 500 companies and anything that happens in these large companies is very, very slow. Microsoft or any other company buying exploits would need to verify the exploit before paying out the bounty. So some security researcher finds a potential exploit, sends it to MS or another company. Now the fun game of waiting and waiting and waiting begins. If your lucky, you will eventually be paid. Oh, and part of the submittal of the exploit will certainly include an NDA to not release the exploit. If you get tired of waiting to be paid for your work and release the exploit, get ready to be sued.

Another big thing I see happening with closed source companies is non-payment for exploits. For example, MS pays for some big-ticket exploits, creates a patch and in that closed source patch they include some of the smaller ticket exploits and reject those small ticket exploit submissions as not being verified and then don't pay. What recourse would you then have? Sue Microsoft of some other large software company that can keep a court case going for months costing millions? What person submitting an exploit would have millions to spend on a court battle to be paid the $1,000 for their exploit?

I think the only way to get companies to react to exploits is to:

1. Send the exploit to the company.
2. Give the company 2-3 weeks to respond.
3. If no response in 2-3 weeks, release the exploit
4. If company responds, get a firm date of fix release
5. If fix is not release in a timely fashion, release exploit

The only thing that motivates these companies is money, loss of money and bad press. If they won't fix their bugs, then force them to buy using one or more of the previous three options.

Flawed logic

The cost is not the $1000 per reported new bug.
The cost is in the evaluation of the bug reports
once you have a prize offered.

How many false or duplicate bug reports will
a large company such as Microsoft get once
it has offered such a prize?

Thomas

Mozilla Security Bug Bounty Program - since 2004

[Giorgio+Maone]

Reporters of valid critical security bugs will receive a $500 (US) cash reward and a Mozilla T-shirt

OK, maybe it's time to adjust the cash for the weak USD, but anyway...

Reminds to me to the human organs' black market

From TFEssay: (a little edited)

"Perhaps you say that you would be willing to donate your organs to the hospitals for free, and I respect people who do that out of selflessness, but that's not the point. Even if you and some other people would do "organ-donation" for free, there are more people who would do it if there were prizes. The amount of people willing to donate organs for free, has not been enough to keep organs from being found and sold on the black market -- but if the hospitals offered enough money, it would be. Obviously if the hospitals offered more than the black-market prices, everyone would just sell their organs to them. But probably the hospitals could offer much less than the black-market prices and still put the black market out of business, because there are lots of persons who wouldn't sell their organs on the black market even for tens of thousands of dollars, but would be willing to participate in a legal "donate'n'earn" program for much less money"

Pay for security

[architimmy]

Forgive me for even mentioning this but I expect that Microsoft already pays 100s of thousands of dollars every year for exploits in the form of salaries and overhead for the employees who work in their security division. Whether or not it would be more cost effective to buy exploits on the open market is more an issue for debate than whether Microsoft should pay to improve the security of their product.

It should be a business

The key to this issue is that exploring security holes should be treated as a business. This way it's all legit and nobody can object the principal of getting the maximum profit out of it. If Microsoft is willing to pay the most, so that their product is safe, so be it.

This is sounding a lot like pollution credits.

[HeavyDevelopment]

Thus creating a market for security. Linux distros and Apple could sell their security "credits" to Microsoft (or essentially anyone on the open market). In theory, eventually the market would come to an equilibrium. This then would then necessitate the government getting involved (which we all know would really muck things up) and figuring a way to measure security. The real problem is that there is no real incentive for Microsoft to change anything if they are flush with cash. And chances are it actually costs them more to change than to buy credits. Not unlike the big power generation companies and pollution credits, it's just another cost of doing business. But as the theory goes, other hungry, up-and-coming businesses will be motivated to innovate to a) not have to spend money buying credits and b) actually profit from from selling credits. The huge downfall of this market plan is that you end up sanctioning a public "bad" (like unsecure software or pollution) and with this system you never get to zero--there always has to be a market of buyers and sellers.

Has no one here ever reported a bug to Microsoft?

Guys, umm. I am dumbfounded. Expect to get paid for reporting a bug to Microsoft?

You have to pay them to report a bug. If you're on one of their "customers who have a right to report a bug" lists, you can get your money back, if they decide that what you have reported is a bug.

Having done tech support, I can certainly see their point. Easily 90% of what are reported as bugs in your product are, actually, something stupid and/or insane that the user has done. That kind've makes it tough to try to rely on your customers for bug reporting. 'Course, when your docs are opaque, and your tech support guys know less than many of your customers, your screening process isn't going to be all that effective, either.

Well the present system doesn't work so well...

[erroneus]

... after all, if I told a company that I had found a security exploit but wouldn't give it to them unless they paid me for the information, I think they'd call the FBI. Some circles call this "blackmail."

This is a proposition filled with potential hazards to the exploit finder so, ironically, the safest and most profitable means of disclosure is through black auctions of some sort or another.

I believe a LAW would actually have to be written to exempt security experts from civil/criminal prosecution before anything like contacting the company directly and asking for money could be anything other than a risk to the discoverer or reporter of the flaw(s) in question.

I consider this to be a hole that product makers have created for themselves and I pray the industry (both the security side and the product side) matures to the point where there's a logical and acceptable process for handling these things. If it was something everyone understood like cars, safety and security standards could be more understood by experts and companies alike. (But then again, if the stuff said on "Fight Club" about how a company decides whether or not to do a recall on a car is true, then we're all pretty much screwed if they all think that way...)

in Soviet Russia...

[obergfellja]

Buffer overruns you.

Wabisalbilabi

Since Wabisabilabi are only selling exploits that affect Linux users, Bill should hold onto his money. Ouch Slashdotters :-)

Who will pay for linux exploits

Microsoft has money, they can buy exploits. Linux doesn't, so who will buy the Linux exploits and prevent them from falling into the "wrong hands"?

making it easier and more effieceint for exploits to be sold helps propeitary software vendors more the open source. I wonder how much people will like this when they see Linux exploits being sold.

what about the DMCA

[bwhat]

if the exploit in question somehow comes under the "veil" of the DMCA, wouldn't that implicate the seller? Then if M$ or some other company buys an exploit does that then make them guilty as an accomplice or accessory? More to the point, DMCA sorta discourages "exploration" of various legalized electronic "protection" scams, so if MS were to offer to buy the exploits, it's almost like entrapment. Ug.

Re:Accountability Anyone ??

[Phiu-x]

"Microsoft would buy the knowledge of the exploit, patch it, and it would no longer be an issue."

MS has already alot of unpatched vulnerabilities already. What make you think they will patch it ?. Who has the responsibility for an undisclosed bug ?

You assume they will patch them immediately. Why would they do that ? There is a reason why they are not patched : Its does NOT affect them! It does not make them LOOSE money! Why ? Accountability AKA : The principle that individuals, organisations and the community are responsible for their actions and may be required to explain them to others

Now go read any any MS EULA and you'll see they are not accountable for anything that happens to you if you use their softwares. Why ? Otherwise, MS would be bankrupted because of too much legal fees. And don't think about the government coming up with a bill for that. That would be political and corporate suicide. A solution is to keep the source OPEN. That way, no one will be able to sue BUT you can be damned sure your software will be patched!

Security and accountability will be the reasons for the oss revolution.

I'm all for this white/grey/black/ market. It bring the light on this very issue.

Free Advertising

[Anrego]

Is slashdot trying to advertise this service or something?

Seriously.. I`ve seen stories about this site like 3 times in the last month. And every time I visit the site it's the same 3 lame exploits.

Fundamental Logic Flaw

[gatesvp]

Look, there are lots of good explanations here, and personally, I'm a fan of the "bounty system". When I first saw "bounties" for Ubuntu I was overjoyed! Feeding IT people is really important for IT growth.

However, in this case, the logical flaw is actually the market, do a cost/benefit analysis. Microsoft, as a monopoly, does not make or lose any significant amount of money on OS security flaws. Companies with a budget capable of supporting security flaw bounties, don't actually need them short-term.

These big companies are publicly held and security flaw bounties do not help quarterly profits, or even annual profits (why these are important is a different issue). If I have SAP running my 10,000 employee business I can't just leave b/c SAP has too many security holes, moving is very expensive. It's probably cheaper to eat a small customer lawsuit than to switch systems. Now, if I'm really smart/motivated/scared I may move off on the next upgrade cycle, but these cycles only happen every 5-10 years. So SAP won't set up public security bounties b/c it is not beneficial to their shareholders in any way they can fathom. MS has the same deal, sure they can make the OS/DB/IIS more secure, but it must already be secure enough as nobody's leaving, right?

You have the right idea, but the impetus for broad security testing is simply not there. The only people who would "benefit" from such bounties are actually the unestablished new-comers or the competitors to monopolies (like Linux providers). With an open bounties system, these companies can use the security feature as leverage for marketing their product. But these are still very long-term deals and such a company would need to convince investors that the long-term benefits of such an action outweigh the short-term costs.

In the case of say, Linux and LAMP and PostGreSQL, we're probably there. These guys are great candidates for such open bounties. And these long-term activities are likely to pay off. Mac OS X may benefit from the same interest as they try and poach desktop/home users. But MS and SAP and other dominant players can't deliver better profits to their investors with such a system, so they won't do anything until investors get scared and start demanding one. We're not there yet.

Re:Fundamental Logic Flaw

[SoopahMan]

That's completely untrue. Microsoft's public image used to be held back primarily by its "evil" appearance. That hasn't gone away but it's certainly faded because the rise of security flaws has been hammered in the press. Nothing has been more associated with Microsoft in the past 3 years than the words "security flaw." There is no one thing worse for Microsoft's public image - and so, their success - than these flaws.

So yes, while your computer getting virus does nothing to their bottom line, the viruses that make the press really hurt their ability to retain customers. The worse their image the more they open the door for Apple - and it's absolutely no surprise Apple has been more on the rise now than the past decade. It also opens the door for Linux, although the problem of providers is a nagging issue there - but that has to a lesser degree also been on the rise in a more significant way than it had prior to 3 years ago.

So yes, these flaws are a MAJOR impact to Microsoft's bottom line. I would say for the OS division - their most important division - this is THE single most important factor.

So, in light of that, I think paying for flaws is actually a very good idea. It is true that white hats have a sort of hard market to get into. Black hats have money waving in their faces.

Google already does something like this. For example, it was recently reported in the news that a 19 year old found a major flaw in Writely/Google Documents, and sent it to Google. Google hired him.

Re:Fundamental Logic Flaw

[gatesvp]

OK, when you're telling me that something is completely untrue about the stock markets you can at least check the charts.

Microsoft has been consistently between ~$21 & ~$30 for the last 3 years or so. Since mid-November in 2006 they've covered that entire ground (from 21 to 30+), which means that their market cap is up. So I seriously question your "bottom line" comments b/c MS doen't seem to be suffering that much. Windows Server usage is actually moving up. And home Windows usage is likely moving sideway to "slightly" down as usual. (which is irrelevant b/c, let's face it, when you have more than 90% share in a competitive market, you basically have to go down)

So basically you managed to spout a bunch of opinions with no research and a complete failure to counter anything I've mentioned. You may believe that these flaws are impacting the bottom line of the MS OS division, but if you can't bother to at least do a Google and look up stock prices then you're just spouting fumes.

You're also not making any counters to my SAP comments. You got all in a huff about MS, but you didn't give me one good reason why a giant like SAP should be paying for security flaws. You've done nothing to help improve my understanding of reality (or anyone else's), you've done nothing to clarify the situation or attempt to even correctly grasp the problem.

So, in light of that, I think paying for flaws is actually a very good idea.

Clearly I did too, I was trying to tell you why it's not happening and you didn't listen.

Re:Fundamental Logic Flaw

[SoopahMan]

Stocks have nothing to do with it. Stocks have more to do with investors reading tea leaves. Their sales of their software matter, and those are down down down.

Re:Fundamental Logic Flaw

[gatesvp]

What? Stocks = Shareholders = Part owners of the company

All Public-owned companies are beholden, by law, to act in their shareholder's best interests. When stocks are up, that means that shareholders are happy which inherently means that they're selling software.

Contrary to popular belief MS is still making lots of money. You can say that MS software sales are down, but you're too lazy (again) to even bother to look up that number, or hyperlink to any source of value.

You may not have a solid understanding of investing, or you may believe it to be some form of tea-leaves reading. But when stock value is moving up that means that lots of people think that Microsoft is going to be worth more money. And again, the number are proving that their revenue is increasing year over year.

Look you've obviously been modded up elsewhere on /. so it's unlikely that you're a complete fool, however you just walked in to a sword fight with your sharpened spoon. When you have something useful to say that isn't a waste of the very bandwidth it's using then maybe you can try again :)

Re:Accountability Anyone ??

[vfrex]

Keep in mind, my statement was a hypothetical response to a hypothetical statement in a hypothetical scenario. We're really stretching this farther than we should be... ...but you are nuts if you think that Microsoft isn't losing money from the countless security vulnerabilities in XP that have allowed massive botnets to form and attack. Corporations have technology purchasing cycles, and as time goes on, I think we will continue to see backlash from those vulnerabilities and worms by way of corporations considering alternatives. Why do you think Microsoft has tried so hard to secure Vista, especially despite the complaints from security giants like Symantec? It costs money to hire programmer and to test for problems extensively before earning any revenue off of a product. Yes, Microsoft has deep pockets and other products to earn it money. But their investment in Vista was absolutely massive, and they took a damn long time to release it. They know that another security failure like the pre-SP2 days of XP would thrash their reputation very, very badly. There wouldn't be many CIOs out there not considering an alternative OS, and that is the last thing that Microsoft wants.

That's some humans' nature...

[benhocking]

It's just that when you're faced with the opportunity to sell something you worked hard on (or chanced upon) for a lot of money, you probably will want to get as much of a return on your work as possible. You don't want to be the shmuck who turned down $1000 because he was worried about the exploit ending up in the wrong hands. You'd try to justify it. You'd think 'Oh, Microsoft would find out about this eventually' or (as somebody else commented) 'Microsoft probably wouldn't patch this immediately anyways'. A guilty conscious wouldn't keep you awake. You'd just realize that there's a lot of shit going on in the world and your one little exploit won't even be noticed. Then the next day you'd go out and buy a nice home theatre system with all the money you made.

No, I wouldn't. I've made several choices in life that have resulted in less money for me (with full knowledge of that at the time), so I know what kind of choice I'd make if presented this dilemma. I suspect that I am not alone in this. Perhaps I overestimate how many other people are like me in this regard, but consider the possibility that you're underestimating that value.

At least three problems, if not more

[BritGeek]

It seems to me that this whole area is fraught with problems, and that the proponents of a "free market" are missing some of the history here.

#1 The history of paying for exploits.
This is a relatively new phenomenon, but historically where it has happened vulnerabilities have been purchased on the black market, by security research companies such as iDefense (now a subsidiary of Verisign). The reason that these companies did this is because these were (and are) exploitable, and were being happily used by the criminal community. Thus, in that situation, iDefense and other similar companies were able to acquire information about known and exploited vulnerabilities, and inform software vendors so that remediation could proceed.

While paying money to criminals is not necessarily something that fills anyone with glee, except the criminals of course, it was reasonably clear that the action helped "the greater good". The same is far from true in the case of building a free market in vulnerabilities. The obvious point is that it if a vulnerability applies to some particular product, why should we assume that the legitimate owner of the site or software product will be the highest bidder? It could as easily be a criminal.

#2 Legality - testing.
At least in the US, for downloaded software, the situation is such that the legality of testing software for vulnerabilities is moderately safe. For website on the other hand, the situation is that researchers are on rather thinner ice. Some websites do publish policies which describe the situations under which they would never push for prosecution, although many still do not. (Although, the recent discussions on this subject are clearly spurring more sites to do this.) The net for websites is that whether or not the testing activity is viewed as being criminal or not is in large measure up to the tolerance, or otherwise, of the website operator.

#3 Legality - sale.
For sale of vulnerabilities, if a researcher approaches a company and says "I have information about a vulnerability in your product/service, and I'd like $x for it", the answer is that any competent prosecutor could get a blackmail conviction. If you are a legitimate security researcher, I'd argue that the last thing you want is to be branded as a blackmailer. And, per point #2, I think you will find that as more and more websites release security testing policies, that those policies explicitly will not indemnify researchers when the results of the research have been resold or in any way used for profit.

#4 Business ethics.
Granted that most security researchers are not in fact employed by the companies whose products and services they are researching, why on earth would anyone expect to be compensated by that company? For example, if you show up at the office building of some company with a ladder and bucket and then clean all the windows, the office manager might be grateful, but whether or not you get paid for it is another matter altogether. Why should vulnerabilities be any different? Don't all workers have the right to expect the windows of their offices to be clean and bug free? ;-)

Another FOSSie seeks security through obscurity

And so who is going to buy up teh Lunix's security flaws? Lunis Torvballs? That's pretty unlikely, seeing as he is mopping the floor at peepshows to pay his bills. And you really think Steve Jobs is going to pay anything? Of course not: Apple will become just another PC vendor in 5-10 years.

Once again, FOSSies show their jealous obsession with Microsoft, and again they ignore the lack of security in their own flagship product, Lunix.

Microsoft's OS just keeps getting better and better, and Lunix keeps getting worse and worse. Heck, teh Lunix still hasn't caught up to Windows 95's tail lights. You guys need ANOTHER decade to figure out how to rip off Plug and Play?

True Story.

[Abolo]

"Obviously if Microsoft offered more than the black-market prices, everyone would just sell their exploits to them."

Yes, however from a business orientated viewpoint this portrays the company having its balls in the hands of 'outsiders'. As a smart 'enterprisingly minded' human being would you buy software from a company which you plan to deploy on thousands of machines, if you knew that some of the security testing and possible patch submissions on it may have been handled by x-cons/hackers/crackers/stfu/criminals/etc.

I am not saying it would be substandard, but I think that a lot of people would feel something intuitively wrong with that. In a lot of ways it's like saying you got a friends friend who is a robber to test out your alarm for you.

However, at the same time, as pointed out "The people they would be paying money to are not criminals or bad people, they're legitimate researchers who just can't afford to do work for Microsoft for free when they could be doing something else for money."

Yes, there is a lot of legitimate security researchers out there, but let's say the CashPerExploit deal was introduced. Do you not think there would be an adequate amount of better trained 'nefariously minded' exploit finders? One bad apple fucks up the box. If companies got the impression that there is a possibility their software supplier uses such people, I think their confidence in the company would loosen.

But having said that, once it becomes a business enough people might get 'trained up' quickly.

I work for a company who uses a variety of Microsoft Technologies deployed over quite a few machines. Not hundreds, or thousands, just a tad higher! You'd be surprised at how relaxed they are about security, but me, I am generally just paranoid anyway. This is the first experience I have had in an 'enterprise environment', but all of the above is just me suspecting that other companies have a different corporate strategy to their security. I must say, for how successful they are, they really do believe in solely using M$ products, and products developed by companies who have good relations with M$.

I don't know, maybe it's like being with a gang of people. You're either on the FSF's land or somewhere in Redmond. A sense of security fostered by a recorded long term relationship of software development companies. Maybe it's less about the company, and more about consistency derived from their strong relationship. Patches each month, deployment Friday, etc... A big corporate bureaucratic machine survives on things like this, a bit like the x86 idea, make it simple, and make it fast/reliable. Hah, I'm laughing too....

"Deco, ya stallin' it up to mouseys gaff? We'll get mad ourra'vih!"

Why stop there

[kbsoftware]

Following the authors logic why stop there. Let's pay bank robbers to not rob banks, pay thieves to not steal cars etc. That's just my 2 cents, my pay to not steal this article :)

In soviet Microsoft

[cachimaster]

Bill Gates exploits YOU!

Not my clients...

[benhocking]

They're my Mom's. I did set up her web-site, though. :)

Don't negotiate with a terrorist

Someone who wants money for every vulnerability is a terrorist. And I am sure the mafia will get into the game sooner or later by buying up the vulnerabilities and trying to exploit them for profit. The auctioning only makes their job easier. Talk about helping the underground.