Microsoft Spurned Researchers Release 0-Day

← Back to Stories (view on slashdot.org)

Microsoft Spurned Researchers Release 0-Day

Posted by kdawson on Tuesday July 6, 2010 @06:20AM from the that's-sure-to-help dept.

nk497 notes the news that a group of researchers calling themselves the Microsoft-Spurned Researcher Collective (the name is a play on Microsoft's Security Response Center) have come together to protest Microsoft's perceived heavy-handedness towards researchers who disclose security flaws. Pushed into action by the reception to the flaw disclosed by Tavis Ormandy, the group has released full details and exploit code for a previously unknown Windows local privilege escalation vulnerability. The advisory for the vulnerability, which affects Windows Vista and Windows Server 2008, contains the following manifesto: "Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."

45 of 246 comments (clear)

Min score:

Reason:

Sort:

So... by fuzzyfuzzyfungus · 2010-07-06 06:22 · Score: 4, Insightful

Perhaps being a little more... Diplomatic would be a good idea when dealing with the(sometimes rather ego-driven) people who know how to hack your box...
1. Re:So... by Crudely_Indecent · 2010-07-06 06:29 · Score: 5, Insightful
  
  People who really want to do damage wouldn't release the code publicly. They would keep it quiet so they can do maximum damage. The point of releasing this information is to prompt the vendor to fix it......and probably gain more street cred.
  
  --
  
  "Lame" - Galaxar
2. Re:So... by MightyYar · 2010-07-06 06:37 · Score: 5, Insightful
  
  Why would anyone BOTHER to go looking for vulnerabilities in the largest operating system in the world for ALTRUISTIC reasons?
  Can you come up with a logical reason for jigsaw puzzles?
  Puzzles are fun. This is a particularly geeky and difficult sort of puzzle - it shouldn't surprise you in the least that people do it as a hobby. It also shouldn't surprise you that people who are treated poorly might seek revenge.
  
  --
  W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
3. Re:So... by Dripdry · 2010-07-06 06:55 · Score: 5, Insightful
  
  It's probably a combination of ego/fun/being tired of MS being a bunch of dickweeds regarding security. What's wrong with one having pride in one's profession, and doing something about it when you see that it's going down the tubes?
  
  --
  -
4. Re:So... by Jah-Wren+Ryel · 2010-07-06 07:03 · Score: 3, Insightful
  
  The point of releasing this information is to prompt the vendor to fix it......and probably gain more street cred.
  Except that in this case it sounds like the entire point of this MSRC organization is to hide the identity of the guy who found the exploit in the first place. By using the MSRC umbrella to release the info it shields the individual from retaliation. So some street cred goes to the MSRC in general but that's not particularly useful for the guys doing the actual work.
  
  --
  When information is power, privacy is freedom.
5. Re:So... by Lord+Ender · 2010-07-06 07:14 · Score: 5, Insightful
  
  The security industry works by reputation. Having published research (ex: "CVE 8675309 discovered by Joe Haxo of Secu-Tech Consulting") bolsters your reputation.
  Security researchers want vendors to disclose and patch the vulnerabilities, recognizing the researchers by name.
  If the vendors ignore the researchers, the researchers have no obligation toward the vendors. Hence, 0-day publication. If you let vendors sit on your research forever, someone may beat you to the punch and publish anyway.
  
  --
  A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
6. Re:So... by John+Hasler · 2010-07-06 08:24 · Score: 2, Funny
  
  So the WHO is the proprietary vendor of the human immune system with exclusive access to the source code? Or in other words the UN is God?
  Surely you can come up with a worse analogy. How about one involving cars?
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
7. Re:So... by bberens · 2010-07-06 08:26 · Score: 3, Funny
  
  This is Slashdot, you're required to use a car analogy.
  It's more like someone finding out that if you plug in a 2nd generation iPod into a 1996 Civic LS with the upgraded stereo then it will cause a short and your car will explode into a fiery mess. Sure, some yahoo could run around plugging iPods into Civics, but generally I'd be happy to know of the potential danger.
  
  --
  Check out my lame java blog at www.javachopshop.com
8. Re:So... by drsmithy · 2010-07-06 11:25 · Score: 2, Interesting
  
  A lot of commercial vendors treat independent researchers with contempt (how dare they find holes in our products) or as slaves (they should do the work our quality control dept should, for free)...
  Of course, the folks who find a problem and then say "you have a week to fix this and then we release it into the wild" don't win their side any favours, either...
9. Re:So... by victorhooi · 2010-07-06 12:48 · Score: 2, Insightful
  
  heya,
  Err, when you're depending on afore-said vendors to provide mission-critical systems, and they sold you their systems on the basis of being more secure...yeah, you do have that right to demand that.
  And for the record, it was 60 days, which is plenty of time.
  Google already had their hand burnt with Microsoft's buggy and security-hopeless software in the China hacking debacle, I'm assuming they didn't particularly want to get shafted and publicly humiliated again for using buggy Microsoft software.
  Cheers,
  Victor
10. Re:So... by harryjohnston · 2010-07-06 16:13 · Score: 2, Interesting
  
  What in particular about Microsoft's response to vulnerability notices do you object to? They can be a bit slow to respond sometimes - they're pretty busy - but they've never seemed either prideful or moronic to me. (Well, OK, once; but on that occasion even I had to admit it was a borderline case.)
All these internet "radicals" by countertrolling · 2010-07-06 06:25 · Score: 5, Funny

No wonder the government wants an off switch...

--
For justice, we must go to Don Corleone
Not to side with Microsoft, but... by dawilcox · 2010-07-06 06:27 · Score: 5, Interesting

It seems that people are upset with Microsoft because 1) they have software vulnerabilities in their OS and 2) they do too little too late to fix these vulnerabilities before hackers start exploiting them.
This group cannot control one of these points (that Microsoft builds vulnerabilities into their OS). However, they can control the second point, by giving Microsoft advance notice and time to fix the vulnerabilities well before disclosing the vulnerabilities to the public.
It seems a bit hypocritical to me to accuse Microsoft of doing too little, too late to fix vulnerabilities, and then release unfixed vulnerabilities to the public.
1. Re:Not to side with Microsoft, but... by Spad · 2010-07-06 06:30 · Score: 4, Insightful
  
  I think that their point, regardless of its validity, is that when people go to Microsoft and say "I've found this vulnerability, here's the detail and PoC, please fix it", they often sit on it for weeks, months or sometimes years before they take any action.
  Now, I appreciate that MS can't turn on a dime like some smaller companies and they have a shitload of regression testing and QA to do, but in the cases where highly critical bugs have been known about for years and persisted into *new* versions of OSs and Applications, you can understand why people get upset.
2. Re:Not to side with Microsoft, but... by kimvette · 2010-07-06 06:37 · Score: 4, Interesting
  
  It seems that people are upset with Microsoft because 1) they have software vulnerabilities in their OS and 2) they do too little too late to fix these vulnerabilities before hackers start exploiting them.
  
  You forgot 3) but they don't neglect fixing holes in the activation process, even if they end up creating false alerts and block activation of legitimate IDs.
  
  --
  The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
3. Re:Not to side with Microsoft, but... by Aladrin · 2010-07-06 06:51 · Score: 5, Insightful
  
  They can. But when this has been done in the past, no matter the time limit given, Microsoft has publicly chastised them for it. The result is this news article.
  
  --
  "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
4. Re:Not to side with Microsoft, but... by Fulcrum+of+Evil · 2010-07-06 07:37 · Score: 2, Interesting
  
  Nowadays, if you give notice, the company will probably spend that time getting a gag order. Best to raise the flag, drop the blade, and watch the rolling head.
  
  --
  "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
5. Re:Not to side with Microsoft, but... by amorsen · 2010-07-06 09:04 · Score: 2, Informative
  
  I've found holes in a couple of products, not produced by Microsoft though. It is REALLY frustrating to mention a hole to a vendor and then being ignored at first, then have your motives questioned, and then see the company ignore the issue for ages.
  Today I would most likely not mention a security bug to anyone unless it's in free software. If I had previously established that the vendor was responsive to non-security bug reports or I have access to paid support, I'd probably give it a shot, but other than that it's best to just shut up. It won't seriously affect me anyway, I don't depend on non-free software.
  
  --
  Finally! A year of moderation! Ready for 2019?
6. Re:Not to side with Microsoft, but... by Gadget_Guy · 2010-07-06 10:40 · Score: 2, Insightful
  
  Disclosure of vulnerabilities is the only way to get them fixed.
  Surely the thousands of other fixed bugs proves that this is statement wrong.
  
  On top of that, how does a "security researcher" validate their claims of finding bugs if they don't release them?
  Because software companies want to encourage people to report security bugs to them so they can get fixed before being exploited. It is in Microsoft's interest to acknowledge the security professionals who report the bugs. They also acknowledge the third parties who assist in solving bugs too.
  
  If a researcher gives a week/2 week notice, then releases their information -- as far as I'm concerned their clear
  But what if Microsoft are currently spending their time fixing a major security hole that is currently being exploited. Isn't it reasonable for them to prioritise that over some newly discovered bug that nobody knows about just because some hacker wants their 15 minutes of fame immediately?
  
  If someone notices a problem in Microsoft's {insert function here} code, perhaps {Another company} with similar code has the same vulnerability, and would benefit from the knowledge?
  It is far more likely that it will be Microsoft that finds similar code with the same vulnerability in other products which would need to be fixed by the same bug fix. There is a reason why it can take more than a week to find and fix a bug.
7. Re:Not to side with Microsoft, but... by Kaboom13 · 2010-07-06 11:36 · Score: 2, Interesting
  
  This is incredibly naive. The current methods works well, for a very specific reason. MS's real customers are businesses. The home user is an afterthought, so we might as well ignore them. Large businesses have lots of custom applications and integration and scripting. Most of this work was done in a very, very shitty way. The result is things like hard coded paths, relying on unsupported, deprecated, or undocumented functionality of libraries, all sorts of stupid, impossible to maintain bullshit. Most commercial business apps for sale are the same way. The whole thing is held together with bailing wire and happy thoughts. The result is a system that is much, much more likely to break because of patches then a normal system or home user. I have never had a patch break one my personal pc's or one of my apps, but I've seen it happen to corporate pc's all the time. The problem isn't really even Microsoft's, because shitty programmers in shitty conditions making shit can do the same in any os and will.
  In the current patch system, we can test individual updates (making it easier to diagnose the cause of the problem) and once we have identified a problem patch, we can still roll out the rest. In a single cumulative version system, it's all or nothing, so if you have a game breaking patch, you get 0 patches until you have fixed the problem. In a perfect world it wouldn't matter, but in a perfect world we wouldn't need patches in the first place.
  Add in the fact not all vulnerabilities are created equal, and you have a major problem. If you have two vulnerabilities, both of which cause problems for you when patched, but one is a vulnerability when you open jpgs in mspaint on the third Tuesday of the month, and the other is a remote code execution in your tcp/ip stack, you will want to prioritize the latter over the former. In a monolithic version environment, chances are most companies would be 6 months minimum behind the curve when that big bad vulnerability hit. They would have no choice but to keep plodding along (and frantically adding more programmers would most likely hurt more then it helped at that point), whereas with individual patches they could skip all the intermediate updates and deal with the first.
8. Re:Not to side with Microsoft, but... by Dan+Ost · 2010-07-07 04:03 · Score: 3, Insightful
  
  Not being able to fix the problem is very different from not being able to do anything to mitigate your exposure to the problem.
  Sometimes the problem is part of an unused component that can be turned off.
  Sometimes the problem can be protected by simple firewall rule changes.
  Sometimes the problem has a simple work-around.
  All of these things help protect the user even though none of them actually fix the problem.
  If the user doesn't know the problem exists, then they can't make any attempt to protect themselves.
  
  --
  
  *sigh* back to work...
Dumbdumbdumbdumbdumb by Saint+Stephen · 2010-07-06 06:28 · Score: 4, Insightful

MS has to test stuff to make sure the fix doesn't make things worse. Decisions get made, people don't like the outcome. But recklessly announcing security holes is just dumb, and isn't helping anyone.
fail.
1. Re:Dumbdumbdumbdumbdumb by Itninja · 2010-07-06 06:37 · Score: 4, Insightful
  
  Large US corporations care more about avoiding highly publicized lawsuits than 'doing the right thing'. By calling MS out by announcing to the world their Windows flaws, it forces MS to either publicly refuse to fix the issue or put some of the ample resources on fixing it. Refusing to fix it will certainly spawn lawsuits (or even government action). That's sure good for everyone...
  
  --
  I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
2. Re:Dumbdumbdumbdumbdumb by Saint+Stephen · 2010-07-06 06:42 · Score: 2, Interesting
  
  Limited worldview, stupid assumptions. It's just childish to assume that MS delays action on a patch because "it hurts their feelings". It's far smarter to realize they have to manage the process in a controlled way.
  Now, beauracracy means things get done slower than some people wish - that's a fair gripe. But a far smarter way to handle it would be to announce there's X issues that Microsoft is Y days behind on patching rather than detailing what the issues are, correct?
  That way you'd get your point across without being destructive to the rest of us.
3. Re:Dumbdumbdumbdumbdumb by Guil+Rarey · 2010-07-06 06:51 · Score: 5, Insightful
  
  MS has to test stuff to make sure the fix doesn't make things worse. Decisions get made, people don't like the outcome. But recklessly announcing security holes is just dumb, and isn't helping anyone.
  fail.
  Excuse me. Corporations release crap products that cause problems and then refuse to man up and take responsibility for fixing them. Not exactly news, no.
  But when corporations behave with the ethical and moral standards of petulant spoiled children - like Microsoft consistently, persistently does - then they have earned exactly what they get, including pretty much any and all guerilla tactics to smack them into behaving.
  
  --
  Do not taunt Happy Fun Ball
4. Re:Dumbdumbdumbdumbdumb by cynyr · 2010-07-06 06:52 · Score: 4, Informative
  
  But lets say something needs port 11234 open in both directions to work*, a sys admin that knows about the flaw(before the fix is out) can make some attempts to limit his exposure to the flaw. Without that info in the wild he things he's safe and all is well while he gets back doored.... Some of these flaws have way to limit or remove exposure to them while the vendor is producing a fix. You may be able to disable a feature, firewall off the machines that need o run it, block all connection attempts on a port with a payload that matches "foobar". Making sure people know that helps lessen the problem while the fix is getting out. Also it does apply pressure on the vendor to fix it fast as all of the people with support contracts are bugging them for a fix for "the foobar bug" There have been few bugs that can't be band-aided recently discovered, so the harm is really only to the people that don't follow security in the first place(home users that put their birthday pin and mothers maiden name into any form they see on the internet.).
  
  *Bad example i know as all ports not known to be doing something useful should be blocked in both directions, but you get the idea.
  
  --
  All of the above was encrypted with a Quad ROT-13 method. Unauthorized decryption is in violation of the DMCA.
5. Re:Dumbdumbdumbdumbdumb by Rakishi · 2010-07-06 07:10 · Score: 4, Insightful
  
  There's QA of a bugfix and then there's sitting on it for months or years. Apparently Microsoft likes to do the later often enough to annoy people.
  People have apparently tried to give Microsoft some time between to fix bugs before making them public. Microsoft promptly attacked them for being hacked, cyberterrorists and all that jazz.
  In other words, Microsoft thought they could strong arm people and those people decided to show Microsoft that being an asshole has repercussions.
6. Re:Dumbdumbdumbdumbdumb by Blakey+Rat · 2010-07-06 07:29 · Score: 2, Informative
  
  Large US corporations care more about avoiding highly publicized lawsuits than 'doing the right thing'. By calling MS out by announcing to the world their Windows flaws, it forces MS to either publicly refuse to fix the issue or put some of the ample resources on fixing it.
  Microsoft already puts ample resources on fixing it. Jesus Christ, haven't any security researchers read "No Silver Bullet?" There's no reason to believe that Microsoft can do anything to speed up this process in the short term-- putting a freakin' ad in the paper reading, "wanted: 46 random people on the street to fix security holes" isn't going to help!
  Look, Windows is a HUGE product. Last I heard, it takes something like 12-15 hours JUST TO BUILD. God knows how long the regression testing takes.
  
  --
  Comment of the year
7. Re:Dumbdumbdumbdumbdumb by starfishsystems · 2010-07-06 08:39 · Score: 4, Insightful
  
  I have to agree.
  
  Back in the days when Bill Gates answered his own emails, I sent him a note asking why Microsoft persistently failed to implement industry norms for secure system design (privilege containment for example.)
  
  His answer? "Customers aren't asking for those features."
  
  From this I concluded that he, and likewise Microsoft, had no interest in taking responsibility for product security, except when it could be monetized around a pain point.
  
  I don't see evidence that Microsoft has significantly changed since then. To my mind, its position is ethically the same as selling heroin to children, while defending the practice by saying that the children "aren't asking not to become addicted."
  
  Now, if someone wants to come along and put up posters explaining exactly how heroin is addictive, I can see how the dealers might object. Why, it could interfere with their business! They might ask for time to make their product less addictive, but it's an open question as to whether their intentions are sincere or just a stalling tactic. (Remember the tobacco industry?)
  
  Meanwhile, I can see no ethical reason why society has any obligation to wait for them. That goes equally for heroin, tobacco, and Microsoft.
  
  --
  Parity: What to do when the weekend comes.
8. Re:Dumbdumbdumbdumbdumb by winwar · 2010-07-06 09:53 · Score: 3, Insightful
  
  "Microsoft already puts ample resources on fixing it."
  That is simply absurd. If that were the case they would have few security flaws. This is not a short term problem-windows has been around for a long time. Microsoft has just chosen to put security below features. They are just not honest enough to admit that they do not want to commit the needed resources.
vetting? by LordPhantom · 2010-07-06 06:28 · Score: 3, Funny

FTA: Current MSRC Members (alphabetical order!): XX XXXXXX XXXX XXXXXXXX XXXXX XXX XXXXXXX XXXXXXX XXXXXX XXXXXXXXX XXXXX XXXXXXXX

If you wish to responsibly disclose a vulnerability through full disclosure or want to join our team, fire off an email to: msrc- disclosure () hushmail com We do have a vetting process by the way, for any Microsoft employees trying to join ;-)

I wonder how they are going to determine *that*......
1. Re:vetting? by BlueBoxSW.com · 2010-07-06 06:31 · Score: 2, Funny
  
  They test your pee for Mountain Dew.
2. Re:vetting? by Anonymous Coward · 2010-07-06 07:05 · Score: 2, Funny
  
  FTA:
  We do have a vetting process by the way, for any Microsoft
  employees trying to join ;-)
  
  I wonder how they are going to determine *that*......
  I found the below code from their website...
  IF RIGHT(strEmail,14) = "@microsoft.com" THEN
  boolPassedVetting = False
  ELSE
  boolPassedVetting = True
  END
  And now, in the true spirit of things...
  NOTIFICATION OF 0-DAY VULNERABILITY:
  If a user gives an email address under 13 characters in length, then the command will fail, dumping the user to a shell and giving them complete admin access (as the script was running as root of course)
Oh, great.... by bobdehnhardt · 2010-07-06 06:34 · Score: 2, Interesting

Just what we need: a one-stop shop for 0-day exploit code. Way to improve security, guys! Right on! Stick it to The Man! And by that, I mean the man (or woman) in the next cubical, or next door, or down the street, or....
I am all for responsible disclosure of vulnerabilities - secrecy does not equal security, and "let's not talk about it and hope nobody notices" is never an appropriate response to vulnerabilities. But responsible disclosure includes working with the vendor, giving them the full data and an opportunity to correct prior to full public disclosure.
If MS is giving researchers the cold shoulder or worse in response to vulnerabilities that are responsibly disclosed to them, that's shame on Microsoft. But to my view, jumping to public disclosure is not the appropriate response.
1. Re:Oh, great.... by h4rr4r · 2010-07-06 06:44 · Score: 4, Insightful
  
  They tried that, it did not work so now they do this.
  What should they do when "responsible" disclosure gets you either a prompt STFU, the just ignore the problem or worstcase a lawsuit?
2. Re:Oh, great.... by Locke2005 · 2010-07-06 06:46 · Score: 2, Insightful
  
  The generally accepted practice is to disclose the vulnerability to the publisher first, and give them 30 days to issue a fix. If there is no fix available after the waiting period, THEN you disclose it to the general public. Although I'm sure the length of the waiting period can be a source of much debate, I don't believe making vulnerabilities public before giving the publisher a chance to fix the problem is in the best interest of computer users.
  
  --
  I've abandoned my search for truth; now I'm just looking for some useful delusions.
Re:The thing is by h4rr4r · 2010-07-06 06:46 · Score: 2, Informative

They tried that. "Responisble" disclosure often results in nothing happening or worst case a lawsuit. It is cheaper for MS to ignore problems than fix them.
Malicious Intent by pwileyii · 2010-07-06 07:02 · Score: 2

Based on what I've read, this was done intentionally and with malicious intent on the behalf of the researchers in retaliation for the negative attitude Microsoft showed toward Tavis Ormany. In Tavis' case, I think Microsoft simply had some negative words to say, but in this case, Microsoft can claim that these security researchers intended to damage them based on the their threats "that they will continue to do so in response to how Microsoft treated Tavis Ormany."
It is clear to me that the researchers are either a) little kids or b) acting like little kids and I hope Microsoft and the rest of the security community comes down hard on them to prevent further retaliation tactics that hurt users more then the companies they are attempting to damage.
The bad guys knows about them already. by miffo.swe · 2010-07-06 07:14 · Score: 4, Insightful

The real bad guys most certainly knows about these security issues long before they becomes common knowledge. Responsible would be Microsoft patching their stuff as soon as they learn about an exploit instead of waiting for the known ones to be spread in the wild.
Responsible disclosure is just Microsofts way of trying to get people to shut up about their crappy security. If Microsoft was the least interested in security they would care more about real security than UAC (put the blame on the user) and playing statistics by making more secure products, hiding patches and grouping patches etc.

--
HTTP/1.1 400
Parser Error (missing hyphen) by Tetsujin · 2010-07-06 07:41 · Score: 3, Informative

Microsoft Spurned Researchers Release 0-Day
I get about as far as "Microsoft Spurned Researchers" and then the rest of it doesn't make any sense. Like you need a conjunction or something after "Researchers"...
Or, you know, hyphenate "Microsoft-Spurned" so the damn headline makes sense.

--
Bow-ties are cool.
To Add to this by abulafia · 2010-07-06 07:43 · Score: 5, Insightful
It seems like the lesson has to be relearned periodically.
This same debate reappears like sunspots. Full Disclosure v. Responsible Disclosure. Black/Gray/White hats.
The funny part here is that Microsoft itself seems to have forgotten how the script goes.
1. Researcher finds exploit.
2. Researcher notified vendor.
3. Vendor stalls for far longer than is reasonable.
4. Researcher becomes frustrated, because
5. 1. In the mean time, systems are vulnerable,
  2. Making your name with your discoveries is very important career-wise for some types of researchers, and if a blackhat finds it before the vendor stops stalling, they lose that cred.
  3. Researcher feels played by vendor, who at least seems (and usually is) lying and stalling. So,
6. Researcher starts releasing exploits either without contacting, or after giving non-negotiable windows of time.
7. Maybe some less responsible types do some damage.
8. Everyone wrings their hands over what to do, what to do. Slashdot posts occur. Some hack makes quota their article quota for the month at Computerworld.
9. Repeat.
MS, Sun, Oracle, Cisco, HP, they've all been through this cycle. You'd think they'd figure out that mission critical software requires a responsive, competent security response team. And they do figure it out. It just seems that the lesson has to be relearned every so often - prying the PRarnicles off the hull, so to speak.
--
I forget what 8 was for.
Irrevokeable Authenticated Delayed Publication by John+Hasler · 2010-07-06 07:46 · Score: 4, Interesting

We need an irrevokeable authenticated delayed publication mechanism: some way to put a GPG-signed document into a pipeline such that it will be published at the end of X days no matter what anyone (including the author) does. Researchers could then send their discoveries to vendors with the notation "This vulnerability will come out of the IADP system in sixty days". Browbeating them for more time would be pointless and their priority of discovery would be secure.
There are no doubt many other uses for such a system as well.

--
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Re:woohhooo I have an opinion by Ihmhi · 2010-07-06 08:22 · Score: 3, Insightful

what prevents a security flaw from getting fixed? $$$
What causes security flaws to be released ? $$$
Assuming that is mostly accurate, I would then postulate that microsoft protects their profits at the expense of an acceptable amount of security flaws (among a bunch of other stuff)
A new patch released by my company leaves our servers traveling at 60 Internets per second. A 0-day exploit is published. The computer crashes and burns with everyone trapped inside. Now, should we patch the exploit?? Take the number of unpatched systems in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of patching the exploit, we don't patch it.
- Tyler Durden
Floor Manager, Microsoft's Security Response Center

--
Random Thoughts From A Diseased Mind (Not For Dummies)
Re:yes, it is childish by toppings · 2010-07-06 08:57 · Score: 2, Insightful

Or, how about the reward is that you acted responsibly, doing what you thought was the right thing. Can't that be enough?
"The only reward of virtue is virtue." - Ralph Waldo Emerson
Bad headline by Zixia · 2010-07-07 02:50 · Score: 2

Can someone add a hyphen between the first two words, please? The headline is difficult to parse without it.