Slashdot Mirror
Microsoft Says No To Paying Bug Bounties
Trailrunner7 writes "In the wake of both Mozilla and Google significantly increasing their bug bounties to the $3,000
range, there have been persistent rumors in the security community that Microsoft soon would follow suit and start paying bounties as well. However, a company official said on Thursday that Microsoft was not interested in paying bounties. 'We value the researcher ecosystem, and show that in a variety of ways, but we don't think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren't always financial. It is well-known that we acknowledge researcher's contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update,' Microsoft's Jerry Bryant said."
Or it could be because they would be bankrupt within the week.
"we don't think paying a per-vuln bounty is the best way."
-- er
"We can't afford the hit to our bottom line if we were to start paying people to find the bugs in our software."
Mit der Dummheit kämpfen Götter selbst vergebens.
Sadly, no matter how rich Microsoft are, they simply can't afford to write *that* many cheques.
We know our software is buggy as hell. We haven't really cared. And we're not likely to anytime soon.
Unless we get sued or some people die.. maybe... other than that.. it's really not our problem.
We've got the customers locked in pretty good. Especially in a business setting.
They're not going anywhere just because of a few bugs. Why would we pay to fix them?
you beat me with this answer!
It will be a good day when they start having to pay for bugs.
for now, they they already have plenty.
"We don't care, we don't have to...we're the operating system company."
About 15 years ago they made a long term investment to running their image into the ground so people would hate them so much that they would be willing to find the bugs for free. It's been working well for a long time, and at this point they have already written the check, why switch.
Microsoft sucks! I'll prove it, look at this random arbitrary glitch in the way they handle SMTP requests.
Thank you very much, fixed. Next!
Crazy like a fox (news anchor).
I guess MS has a new suit of security tech invisible to those unfit for their positions or just hopelessly stupid.
MS knows its coding nothing at all but marketing has them coding in the finest suit of software.
With is masterstroke, no cry of "But they are developing anything at all!" will never gain traction.
They are safe to wonder around the walled gardens.
Domestic spying is now "Benign Information Gathering"
Did not think they would loose big money by this. now, its official. their bugs can bankrupt them.
There are certainly downsides to the bounty approach(once you put money on the table, priority disputes turn from prima donna drama bullshit into actual-with-lawyers drama shit; not to mention the hideous quibbling about exactly what constitutes a "vulnerability", how severe it is, and so forth).
On the other hand, handing out hard cash, in addition to credit, can certainly be motivational(yes, the monetary rewards on the criminal side will always be better; but I'd wager that there are a lot of people who would take 'steady job with some research firm, at dev/analyst pay levels+occasional fun money bounties+credit, all legal' over 'substantial monetary rewards, clandestine work for unsavory and occasionally downright problematic characters, nontrivial legal exposure'), and one might expect that MS, with their formidable war chest and serious security issues(both actual and perception-based) would find a way of converting fairly modest amounts of money into additional security. Particularly since(with the exception of Google's pet projects, and maybe a handful of other high-profile OSS projects) they could easily afford to bid better for vulnerability reports that team FOSS could, which would seem like a natural marketing bullet point...
Microsoft: As good at security as Linux users are at doing sex with girls
It is well-known that we acknowledge researcher's contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update
Yea, because we all know that people really value having their name in a newsletter over having their name in a newsletter AND a few thousand dollars....
"The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants." ~Thomas Jefferson
Apart from the people who like to research security vulnerabilities for the fun of it, what other motivation is there? If you run a security company and finding vulns is good PR, or you're running botnets and making money from spamming and phising, or you're targeting companies for data theft, it seems like the motivations are almost always financial.
At least if you paid a bounty, you might convince a couple of the part time security researchers to make a quick buck or two - a little incentive might pay some dividends there. But more importantly, to say the motivations aren't always financial as though that's a particularly meaningful observation, that's exceedingly stupid and indicates a real lack of understanding of computer security in the real world.
They're right. Banks don't pay people who find ways to get into their vaults.
You're going to get better results by employing researchers with an interest in computer security. Unfortunately, these are hard to find, and most people claiming to be in "IT security" are actually just PR handwavers, egotists and people who know how to install Snort and write a few lines of Perl (I'm tempted to identify a few fairly well-known people by name, but you never start a fight with an idiot with a hammer and a conviction on appropriateness to use it...).
Fortunately, MS has the resources to find, pay and provide the right environment for such people. Hell, it has a research group which dwarfs Google in terms of variety of output and leaves Apple holding the baton wrongly at the starting line. I'm not sure it interfaces these people optimally with its mainstream operations (the whole "executive project sponsorship" thing is very political), but it has a great basis.
Or it could be because they would be bankrupt within the week.
But why? It's not like there's likely to be millions and millions of bugs that Microsoft doesn't already know about. Bounties are only awarded for previously unreported bugs, otherwise there would be no limit to how much anyone could collect from the company. It is doubtful that Microsoft's decision was primarily because of what it would actually cost them in payouts.
The time for this announcement couldn't be better! Windows and Internet Explorer are currently completly vulnerable due to the LNK bug and they haven't even released a fix for it. The next days are going to be interesting ;)
as well witnessed by the linux user who refers to it as "doing sex"
Except I'm a Linux user and my girlfriend is pregnant.
P.S. I'm an Atheist and I'm not buying that immaculate conception bullshit you're selling.
Microsoft will always sit in the highest thrown when it comes to web browser software insecurity because of that very reluctancy to not only seek white-hat/community researcher help in vulnerability assessments and testing, but also because they are too bottom-line driven to see past it.
We all have an good idea what the average annual salaries some Microsoft employees get paid and up to $3K is a drop in the bucket for someone who will willingly take hours, weeks, months or longer to find a something that will do any Microsoft operating shop or end-user a favor. That's more than getting your money's worth not to mention curbing a bad rap.
Even from a general security standpoint, having vulnerabilities exposed, fixed and put in a release keeps that particular ace-up-the-sleeve attack run that malicious cracking communities have that much less effective over time.
The joke was that microsoft's software is so bug-ridden that people will find so many unreported bugs that microsoft will go bankrupt.
SURELY NOT!!!!!
Oh, we don't think it was immaculate...
It's because to Microsoft, and undiscovered bug is a nonexistant bug. Their "security" model has always been "security through obscurity". Their philosophy is "why fix a bug if you don't have to?"
And they modded you "funny" but you're absolutely right, sorta, even if a little exagerated; they have more far more dollars than sense. Well, maybe not sense; ethics.
Free Martian Whores!
Just because you got to the destination doesn't mean you're a good driver*.
*this was originally a sandwich analogy, but then I remembered my audience.
which is totally what she said
Wait, it was a joke? I thought it rather insightful!
which is totally what she said
This is bad logic, ivory tower thinking even, they are assuming the entire ecosystem will have their chosen set of corp centric values. You would think they would have learned otherwise by now!
Vulnerabilities will be discovered, sometimes by multiple independent parties. These vulnerabilities are either going to be sold, exploited selectively (corp esp against a chosen target), exploited publicly, reserved for future use or given to the vendor.
The responsible thing is to try to move as many to the latter as possible. The most popular way to do that is with cash.
I am a Linux user since the time you had to compile your own kernel in order to perform an install. :)
I have 7 going on 8 children. My wife uses Linux too.
- Dan.
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
... they were reminded that the user is the biggest security threat to any system. Upon considering their market share they realized how potentially disastrous this would be once anyone with a phone book figured it out.
That's what she said.
...they've spent all their surplus cash paying people who forward Bill Gate's email message to 25 other people.
We all know that security researchers are drama queens. As soon as they find a bug, they want to get a bull-horn out and start crowing about it.
Microsoft on the other hand says that if you don't keep it secret for months or even years then you are a bad person and will try to get you fired.
What they should do is just pay a $100 per day for keeping it secret until the bug is fixed. That way even if you don't get bragging rights, you get a pay check.
Signing a non-disclosure agreement like this is pretty normal. It's a part of most businesses but no one wants to do it for free.
I agree, but my first thought was that Microsoft produces more software than Google and Mozilla combined, which creates a much larger footprint for vulnerability. This, combined with the fact that some of their software is supported for up to 13 years after it's released (Windows XP), means that it very well would cost them a fortune. And by the time they stop supporting their software, attacks which never existed in anyone's wildest wet dreams have appeared, and the 12-year-old software wasn't designed and can't be significantly rearchitected to handle such attacks. A few examples that come to mind are Windows XP and ASLR or IE 6 and ActiveX.
I also think your point that Microsoft wants people doing this for the right reasons holds significant water. Paying someone a bounty provides the wrong motivation because, instead of Microsoft and the researcher being aligned in a common goal to make software safer, the researcher and Microsoft sit at opposite ends of the table because one side wants to maximize, while the other side wants to minimize, the bounty. If the researcher goes in knowing they aren't going to get paid then there's less incentive for viewing Microsoft as a rich organization to be fleeced and more incentive to work together. Unfortunately, it seems that the researchers think they hold more cards than they do and want to get paid a bounty because "everyone else does" and it would be easy money.
Banks do people that find ways to get in their vault legally. They hire people to penetrate (har, har) their security in any way possible, they work with law enforcement and sometimes even criminals to secure both their physical as well as their virtual systems.
What Microsoft needs is first of all a restructuring of the organization - it's hemorrhaging cash, talent and image. Then they need to rewrite Windows and have a transition period where the old is virtualized much like Apple did with Mac OS X a decade ago. Sure it will take them some time but if they're candid enough about it, it will boost their image, people will want to work for them and in the long term it will save them cash. Ballmer is one of the last dinosaurs in that organization that thinks a VMS-based operating system is still up-to-date, just about anyone else in the industry has gone through major rewrites of their systems.
Custom electronics and digital signage for your business: www.evcircuits.com
I wasn't debating whether Linux users have sex, I was pointing out that the original comment was about being good at "doing sex", not about the possibility of having sex. Just because someone is having sex doesn't mean they're good at it. There are plenty of lazy fat people out there.
Of course it was rather poorly worded so the intention could have been either way.
which is totally what she said
oh well that makes sense.. shes equally as bad so its a perfect match! and the universe is back in order
So Microsoft is saying that people should voluntary and collectively work on fixing and bettering software for free, without any compensation? Mmmm...
If someone says he and his monkey have nothing to hide, they almost certainly do.
Banks do people that find ways to get in their vault legally. They hire people to penetrate (har, har) their security in any way possible, they work with law enforcement and sometimes even criminals to secure both their physical as well as their virtual systems.
Hey, I've seen that episode of White Collar last week, too :D
I think the money is better spent on hiring/training more developers/testers than throwing it away on some wild west style campaign to weed bugs. Besides they would get swamped with thousands of duplicate or non existent bugs because SOMEONE WAS DOING IT WRONG, not to mention the "i found it first" and other related lawsuits. Waste of time and money for everyone and you and I the consumers won't benefit one bit. Finding a bug != fixing a bug.
did you forget to take your meds?
Banks do people that find ways to get in their vault legally. They hire people to penetrate (har, har) their security in any way possible ...
The first sentence was a rather nice bit of unintentional humor.
But your point is well-taken: the whole concept of penetration testing was originally taken from the military, which also hires teams to see if they can break their security and leave notes like "code books stolen" if they succeed.
I am officially gone from
They're right. Banks don't pay people who find ways to get into their vaults.
MS isn't a bank, my business is a bank, and their vault better f'ing protect my customers' money.
If they aren't doing everything they can to make sure the vaults they're selling me offer that protection, they're acting irresponsibly.
Now, pretty please, with sugar on top, kindly Fuck Off And Die already."
There, fixed that for them.
If you were blocking sigs, you wouldn't have to read this.
Microsoft already have more bugs than they know what to do with. They don't need people reporting more :-)
Interestingly enough... The social insecurity seems to pay off in this department!
http://www.thesun.co.uk/sol/homepage/features/article2439786.ece
Well good for you! Now if we could just stop Windows users breeding ... ;-)
They hire people to penetrate
Indeed. They pay people to do it, not because they've already done it. ;-)
Ballmer is one of the last dinosaurs in that organization that thinks a VMS-based operating system is still up-to-date
The NT kernel as a bastard stepchild of VMS is really not the cause of any unique-to-MS problems, and MS are experimenting with a major rewrite with Midori if that's really what you're looking for.
NT was the step up from DOS-3.1-95-98-ME becoming mainstream just a little before OS X superceded OS 9 - OS X itself being mostly NeXT work, in turn Mach + BSD + ObjC - in turn standard microkernel theory + Unix + Smalltalk. It's all a nice evolution. I don't see any benefit in making everything another Unix-alike.
Consider the "problem" of the heavy process in a VMS-derived OS. Unix (classically) says, "Let's make fork()ing quick and easy and do everything by forking." NT says, "That's better implemented by threads, with the benefit of full sharing." Midori (and others) ask, "Actually, do we need all these hardware-isolated processes in the first place?" Which is "correct"?
The reality is that $3000 for a really good exploitable bug is cheap.
And most companies paying bounties won't pay you for a DoS you found in e.g. Chrome in 2H spare time, and only if you're lucky for things like data leak.
They're only going to pay for sure if you deliver a full blown with proof of concept and completely documented exploit that let you take over a system.
But here's the trick! Not only those take a long while to do, even for the skilled engineer (heck writing docs and stuff sucks), but $3000 is peanuts. Some companies or evil guys pay $10 000 for these (and no, you can't have the extra $3000 later because they're going to give you a NDA - but you can probably make your friend win the $3000 - that's how it works, he just rewrites what you tell him 3-6month later and on top of that you'll feel better since the bug will actually be fixed)
Researcher: I want $3000 like Google and Mozilla pay.
Microsoft Representative: No.
Researcher: $2000?
Microsoft Representative: No.
Researcher: Could I at least meet Bill Gates?
Microsoft Representative: *sigh*No, anything else?
Researcher: Uhm... lapdance?
Microsoft Representative: Ok fine, we will pay you one lapdance or hentai dvd per bug. That is my only and final offer.
Researcher: DEAL!
It is doubtful that Microsoft's decision was primarily because of what it would actually cost them in payouts.
I agree... we can make fun of how much money this would cost Microsoft, but they can afford it. It is obvious they don't want to for. Some possible reasons:
1) Announcing a paying bug bounty, like Knuth had with TeX, implies the code is so high quality they are looking for the last few issues. But they have a very large attack surface area, and their code is constantly changing.
2) They've spent millions educating their developers and testers over secure coding and testing practices, and to be fair have made good progress. Announcing a paying bug bounty probably irriates the bean counters who are asking, aren't we already paying for people to work on security issues?
3) Cultural issue? Mozilla and Google are willing to do it, and they have extensive experience in free/open source software. Microsoft, not so much.
It is interesting they don't want to do it though.
I'm both an IT geek and have turned into a bit of a fitness buff in the last couple of years.. heh heh :P This article confirms my limited experience.
which is totally what she said
There are various 3rd party research groups that you can sell your exploits too for money. They are legal, moral and assist the targeted companies in getting them fixed (and providing emergency fixes to their clients)...
This doesn't help too much when you find a non-exploitable bug though, or are we only talking about exploitable ones?
They're right. Banks don't pay people who find ways to get into their vaults.
no but the vault makers do.
You're going to get better results by employing researchers with an interest in computer security. Unfortunately, these are hard to find, and most people claiming to be in "IT security" are actually just PR handwavers, egotists and people who know how to install Snort and write a few lines of Perl
regardless of who points it out, a vulnerability is a vulnerability.
Might also have to do with the fact that their products are closed source. Certainly makes it harder to do anything much more than brute force guess-and-check type exploits.
That was the first thing that came to my mind. Though on consideration it would take quite a lot to bankrupt MS.
But the unfortunate thing here is there's already a thriving market for zero-day MS bugs. These get bought and sold already on a daily basis on the underground malware networks. You've already got groups of people that make a living out of finding bugs in your software and selling them on that black market. Instead of letting them sell them to people that are basically your competitors, (or at least your PR antichrists) it makes sense to either hire them or become their best customer. either of which them will either kill or severely depress the market for exploits. Once MS becomes a bidder for the exploits, with its deep pockets, that alone will drive a lot of the malware authors out of business because they will no longer be able to afford to bid on a new zero-day to keep their malware effective as MS gets things patched at a highly accelerated rate.
What they have here is an opportunity, and I can't believe they're going to let it slide. Makes me wonder if someone's ego/pride is driving their decision here, rather than good business sense? Even in the short term I don't see any way that this could be anything but a monetary win. Unless they think (again, in their pride and obstinence?) that they're so big now that they don't need to be bothered with improving their image or reputation anymore. Or maybe they've already considered this and it is unfortunately in their best interest to let their customers twist in the wind rather than spend a few bucks.
I work for the Department of Redundancy Department.
Because they would have to have a system where bugs are identified and tracked.
Telling researcher X that that hole was KNOWN for 2.5 years but not fixed would cause plenty of embarrassment and negative publicity.
For Microsoft, Honest is not the best policy - they are more of a let the dog sleep company, good enough type company.
... do what Marc Maiffret did and turn your affiliation with Microsoft and penchant for finding and addressing vulnerabilities into a profitable career/company. Frankly, I think the credibility he earned goes a heck of a lot further for making money in the long run than a series bounties would. It also further limits any possible muck-rakers from trying to insinuate conflicts of interest.
Also, I am not sure people realize that Microsoft has made leaps and bounds in terms of how they view security/vulnerabilities since the 90's. Going beyond the chuckles: Do they have problems still? Sure, but it's no longer viewed as a marketing problem; they acknowledge it's an engineering problem and have an actual hope in Hades of fixing it compared to a company that once used to treat everything as branding and marketing.
Code softly but carry a big magnet.
A week is very... very generous.
Ballmer is one of the last dinosaurs in that organization that thinks a VMS-based operating system is still up-to-date, just about anyone else in the industry has gone through major rewrites of their systems.
Thank you, this sentence made me laugh so hard. It's wrong on so many levels I don't even know where to start with correcting you.
I am TheRaven on Soylent News
>>They're right. Banks don't pay people who find ways to get into their vaults.
Well, not on purpose anyway.
Well, even if they know about the bugs, I'm assuming someone would have to check and asses them all. With the biggest OS on the market and the biggest browser on the market and a populace eager to get some of that bounty cash I could imagine they'd be inundated with reports of known bugs, and then they have to pay someone to sift through them all and find the real ones. It wouldn't bankrupt them but it wouldn't be a low cost initiative either.
...4) MS Customers are happy to pay for bugfixes
I've observed this myself when a consulting firm I worked with suddenly couldn't open an important presentation anymore. The fix cost them iirc around 3500 €. When asking them why they'd stay with a product that would render it's files unusable, they responded that they were actually pretty happy with the response time and the price didn't bother them at all.
I think it ironic that Microsoft is so hard core about capitalism and "paying for software", yet they will not reward those that find bugs. I mean bug finders did the hard work, they tested and retested to prove their theory, and Microsoft wants them to give it to them for free? Oh that is not even the best part. I went to report a bug to MS over the phone guess what they wanted, down payment. You know... just in case it wasnt a bug.
In other shocking news, the sky is blue, water is wet, ice is cold and fire is hot.
"the motivations aren't always financial" is a phrase I've heard before -- mostly from HR departments. It means someone who doesn't care about the product, but rather about making his/her departmental bottom like is running things.
Money never hurts, and moves mountains. Yes, some people do it for free. More people will do it if there's cash. This means Microsoft either wants to:
1. save money (unlikely, but possible at a departmental level)
2. not find bugs (likely -- they take work to fix and cause embarrassment)
3. not have a simple quantifiable number associated with bugs, like "how much did you pay out this year on bug bounties?" so that consumers notice that they have more bugs than anyone else (very, VERY likely)
It's always struck me that vendors ought to be paying researchers for the time they spend working with the vendor to help get a bug fixed, rather than a flat rate for finding a bug. i don't think vendors have any obligation to pay people who find security vulnerabilities for the time they spent finding the bug, but if they want a research to spend time documenting and explaining the bug so they can fix it then they need to compensate that researcher. If there is a flat bounty rate, the researcher can decide how much time they're willing to commit to helping the vendor fix the bug.
When Microsoft says they're not interested in a per-vuln bounty, I don't think that necessarily means they won't compensate researchers, but that the compensation will be based on something other than finding a vulnerability - such as the time the researcher spends helping get the bug fixed.
Banks don't pay people who find ways to get into their vaults.
People who know how to find a way in don't send an invoice.
It's because to Microsoft, and undiscovered bug is a nonexistant bug. Their "security" model has always been "security through obscurity". Their philosophy is "why fix a bug if you don't have to?"
I think it's simpler than that. They're thinking "why pay for a bug report when you don't have to?" They said it themselves, "we don't think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren't always financial." Is there any lack of people willing to expose Windows bugs already?
Property is theft.
I remember reading a Chapter from Freakonomics describing how temporarily imposing an economic contract (X happens, Y dollars change hands) on what had formerly been a social contract (X happens, you should feel proud/guilty) ended up permanently voiding the social contract.
While it's probably the case that MS is some combination of "Afraid bounties would bankrupt them" and "Using obscurity in place of security" and "Everything you don't want to be", I do wonder if they might accidentally be doing the Right Thing. Probably not, of course, but what if Mozilla and Google's Big Bounties actually ended up damaging the motivation of those who search for and report vulnerabilities because it's the right thing to do?
Anyone know how many other companies have substantial vulnerability bounties? Moreover, anyone know if there's any research on possible links between bounty offers and useful reports?
Hope you dont mind if your kid looks like me..
and thanks for being so diligent on those system backups.
Microsoft - employs some of the brightest and best programmers and designers in the world
Has an entire research arm dedicated to improving their products
Has teams of testers to test and find bugs ... ...and still produces bug ridden, vulnerable software, that is outdesigned by the competition
Puteulanus fenestra mortis
Something tells me this model isn't very successful, if you're basis on it is that Microsoft does it.
It's because to Microsoft, and undiscovered bug is a nonexistant bug. Their "security" model has always been "security through obscurity". Their philosophy is "why fix a bug if you don't have to?"
Yet they proactively fix bugs and distribute those fixes at no cost. Strange.
Here's a TED talk that could be applied to this situation in support of Microsoft's decision: YouTube - Clay Shirky: How cognitive surplus will change the world
Xbox Achievement Points!!
This article confirms my limited experience.
Of course, gay men also score higher in all these categories.
I think this probably implies a wide variety of things, and from my *many* experiences, I think they're probably all partially true.
-josh
You're over analizing the dynamics of sex
It's not difficult at all
Tab A goes into Slot B
Even a nerd can do it
"Suppose you were an idiot...and suppose you were a member of Congress...but I repeat myself." Mark Twain
There may be a virus out there for that
"Suppose you were an idiot...and suppose you were a member of Congress...but I repeat myself." Mark Twain
How many times to I have to say it? It's easy to do it, but that doesn't mean you will be good at it. Apparently I'm good at it, but I actually get regular exercise and care whether my partner is having a good time. Some people either don't care ("nice guys finish last, bad guys don't care if she finishes at all" type thing) or just have no stamina.
which is totally what she said
Well, my brother is gay. He's a geek, but definitely not into fitness. I have no idea about his attitudes in the bedroom however and I'd rather not find out :p
which is totally what she said
Just publish the bulletins. No reporting or anything. No mercy with M$!
Look, why should MS reverse their model and pay money to bug-finders when their current model has people paying THEM to find bugs?
"The bigger the lie, the more they believe." - Det. Bunk
...from the company that used to charge YOU a huge bill for the "privilege" of sending bug reports?
...is Apple paying? Oh...right, Apple never has bugs or vulnerabilities. It's right there in all the press releases from Cupertino.
Yes, paying them full time with benefits and they still don't catch nearly enough. Should they higher more, supplement it with a bounty, or simply deny that their software is that buggy enough to justify additional expense?
Also it is entirely possible that paying a bounty could be cheaper than paying full time wages and benefits depending on how long it takes to find a bug.
It would be interesting to see how many bugs get reported that they already know about and haven't done a fucking thing about. Yeah it would practically be an admission of guilt. It would be even more damming if they paid the bounty and a fix doesn't see light in a timely fashion.
You haven't specified any measurable criteria for what makes one "better" at sex than another. Thus sucess/failure is a perfectly reasonable delimiter. Multiple successful couplings would imply that the female has bee sufficiently satisfied that there have beeen repeated sessions.
-or-
Dan is a rapist, his wife is against abortion
-or-
All his children have been produced in the lab
0xB315AA8D852DCD3F3DCA578FD2E0BF88
There’s a feeling of futility when you run into a bug in proprietary software. You feel like there's nothing you can do about it so you work around it.
Its such a certain thing that the bug won't be fixed that you code for the existence of the bug even though you know that it will create comparability issues when YEARS LATER the bug is fixed by the next iteration of Windows.
I think that a bit of a sample bias is going to happen in the comments - few Linux users are going to post saying "Yes, I use Linux and I rarely if ever do sex with a girl"
From what I can tell they have little reason to offer such a bounty:
1) Most home users couldn't care less. They view MS's monthly updates as a hassle, not a benefit, and would be much happier if they didn't have to bother with updates at all.
2) Most business purchasers are going to see an increase in security reporting as a disincentive to buy MS products. The people doing (or at least authorising) the purchases tend to be managers rather than IT pros, so more security issues = a worse deal in their mind.
MS's objective is to sell more product, not to release a better product. A "bug bounty" does not benefit them in this respect.
Yet they proactively fix bugs and distribute those fixes at no cost. Strange.
Fixing product defects is what happens when you ship defective products. In the auto or any other industry it's a "recall". You ship a defective product, you have to fix it. You sound like they're doing it out of the goodness of their hearts. Do you work for MS, own stock, or what?
Free Martian Whores!
Well, since I was brought up as a pretty fundamental Christian (though I am no longer religious), many of my friends will actually never have sex until after they're married. And then there are some people who value the relationship over the sex. Of course I'm not saying a lot of people are bad at sex, and statistically most people are obviously likely to be average - and it is of course just a natural thing so it's hard to do "wrong" as long as you're not simply getting tired or a clueless n00b.
Feels kinda weird to spell it out, but my criteria for things that contribute to good sex:
My last gf would get tired pretty quickly (probably less than an hour from kissing until she was reportedly satisfied and just wanted to sleep) because she was a lazy bint that ate mostly garbage (though she'd at least be okay to go again after she rested a bit), whereas one of my previous gfs was properly hyperactive and as healthy as me, so we could occupy ourselves for many consecutive hours with mindless physical gratification.. heh. Good times!
which is totally what she said
Only on slashdot, of course.
Fixing product defects is what happens when you ship defective products.
So you think every software vendor ships defective products ?
In the auto or any other industry it's a "recall". You ship a defective product, you have to fix it. You sound like they're doing it out of the goodness of their hearts. Do you work for MS, own stock, or what?
I never even suggested they're doing it for any reason other than good business. The same reason every other vendor fixes their bugs.
Uh, yes, they do.
Well, maybe not the banks themselves, especially not smaller banks, or really any, these days (too little money actually on hand to be worth it), but it's called "penetration testing". I'm sure the vault manufacturers (or whatever they're called, I suspect most vaults are custom-made) are continually thinking of ways that they could be broken into. (Or at least they should be. Wouldn't be a very good company to say "oh, we think it works, but we don't know, we've never actually tested it".)
You see (or you ought to see) penetration testing referred to a bit here on Slashdot--it's quite popular in computer security. Best way to improve your security is to identify its faults.
Yes the shit for brains company speak... I give up. Microsoft didn't win, I just refused to subscribe to their bullshit.
.
Voting up, Voting down - If I really gave a fuck about your approval or not, I'd come and ask you.
Perhaps I was too ambiguous with my language. I felt otherwise, but sometimes I guess I overdo it on the nuance.
I said: Banks don't pay people who find ways... (cheekily nonrestrictive "who")
I did not say: Banks don't pay people to find ways...
IOW, banks don't pay people just because they happen to find ways. In general, banks don't pay money to random people on the street, and the person on the street who makes a hobby of finding ways is no exception. They instead pay selected people specifically to go about the task of finding ways.
Your all business stupid. Microsoft is a company that produces closed source software. If they were to offer bounties for bugs they'd have their morally corrupt employees colluding with "securities experts" to add all types of bugs that will be claimed every 6 months or so.
Google being open source can't do such things because security bugs have to be good ones to hide for 6 months...
So you think every software vendor ships defective products ?
Every manufacturer of every product made occasionally ships a defectve product. Nobody's perfect, but some vendors are worse than others.
Free Martian Whores!
What a pathetic company...ahaha