Slashdot Mirror
Microsoft Says No To Paying Bug Bounties
Trailrunner7 writes "In the wake of both Mozilla and Google significantly increasing their bug bounties to the $3,000
range, there have been persistent rumors in the security community that Microsoft soon would follow suit and start paying bounties as well. However, a company official said on Thursday that Microsoft was not interested in paying bounties. 'We value the researcher ecosystem, and show that in a variety of ways, but we don't think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren't always financial. It is well-known that we acknowledge researcher's contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update,' Microsoft's Jerry Bryant said."
Or it could be because they would be bankrupt within the week.
"we don't think paying a per-vuln bounty is the best way."
-- er
"We can't afford the hit to our bottom line if we were to start paying people to find the bugs in our software."
Mit der Dummheit kämpfen Götter selbst vergebens.
you beat me with this answer!
"We don't care, we don't have to...we're the operating system company."
About 15 years ago they made a long term investment to running their image into the ground so people would hate them so much that they would be willing to find the bugs for free. It's been working well for a long time, and at this point they have already written the check, why switch.
Microsoft sucks! I'll prove it, look at this random arbitrary glitch in the way they handle SMTP requests.
Thank you very much, fixed. Next!
Crazy like a fox (news anchor).
I guess MS has a new suit of security tech invisible to those unfit for their positions or just hopelessly stupid.
MS knows its coding nothing at all but marketing has them coding in the finest suit of software.
With is masterstroke, no cry of "But they are developing anything at all!" will never gain traction.
They are safe to wonder around the walled gardens.
Domestic spying is now "Benign Information Gathering"
There are certainly downsides to the bounty approach(once you put money on the table, priority disputes turn from prima donna drama bullshit into actual-with-lawyers drama shit; not to mention the hideous quibbling about exactly what constitutes a "vulnerability", how severe it is, and so forth).
On the other hand, handing out hard cash, in addition to credit, can certainly be motivational(yes, the monetary rewards on the criminal side will always be better; but I'd wager that there are a lot of people who would take 'steady job with some research firm, at dev/analyst pay levels+occasional fun money bounties+credit, all legal' over 'substantial monetary rewards, clandestine work for unsavory and occasionally downright problematic characters, nontrivial legal exposure'), and one might expect that MS, with their formidable war chest and serious security issues(both actual and perception-based) would find a way of converting fairly modest amounts of money into additional security. Particularly since(with the exception of Google's pet projects, and maybe a handful of other high-profile OSS projects) they could easily afford to bid better for vulnerability reports that team FOSS could, which would seem like a natural marketing bullet point...
Microsoft: As good at security as Linux users are at doing sex with girls
It is well-known that we acknowledge researcher's contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update
Yea, because we all know that people really value having their name in a newsletter over having their name in a newsletter AND a few thousand dollars....
"The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants." ~Thomas Jefferson
Apart from the people who like to research security vulnerabilities for the fun of it, what other motivation is there? If you run a security company and finding vulns is good PR, or you're running botnets and making money from spamming and phising, or you're targeting companies for data theft, it seems like the motivations are almost always financial.
At least if you paid a bounty, you might convince a couple of the part time security researchers to make a quick buck or two - a little incentive might pay some dividends there. But more importantly, to say the motivations aren't always financial as though that's a particularly meaningful observation, that's exceedingly stupid and indicates a real lack of understanding of computer security in the real world.
They're right. Banks don't pay people who find ways to get into their vaults.
You're going to get better results by employing researchers with an interest in computer security. Unfortunately, these are hard to find, and most people claiming to be in "IT security" are actually just PR handwavers, egotists and people who know how to install Snort and write a few lines of Perl (I'm tempted to identify a few fairly well-known people by name, but you never start a fight with an idiot with a hammer and a conviction on appropriateness to use it...).
Fortunately, MS has the resources to find, pay and provide the right environment for such people. Hell, it has a research group which dwarfs Google in terms of variety of output and leaves Apple holding the baton wrongly at the starting line. I'm not sure it interfaces these people optimally with its mainstream operations (the whole "executive project sponsorship" thing is very political), but it has a great basis.
Or it could be because they would be bankrupt within the week.
But why? It's not like there's likely to be millions and millions of bugs that Microsoft doesn't already know about. Bounties are only awarded for previously unreported bugs, otherwise there would be no limit to how much anyone could collect from the company. It is doubtful that Microsoft's decision was primarily because of what it would actually cost them in payouts.
as well witnessed by the linux user who refers to it as "doing sex"
Microsoft will always sit in the highest thrown when it comes to web browser software insecurity because of that very reluctancy to not only seek white-hat/community researcher help in vulnerability assessments and testing, but also because they are too bottom-line driven to see past it.
We all have an good idea what the average annual salaries some Microsoft employees get paid and up to $3K is a drop in the bucket for someone who will willingly take hours, weeks, months or longer to find a something that will do any Microsoft operating shop or end-user a favor. That's more than getting your money's worth not to mention curbing a bad rap.
Even from a general security standpoint, having vulnerabilities exposed, fixed and put in a release keeps that particular ace-up-the-sleeve attack run that malicious cracking communities have that much less effective over time.
The joke was that microsoft's software is so bug-ridden that people will find so many unreported bugs that microsoft will go bankrupt.
SURELY NOT!!!!!
Oh, we don't think it was immaculate...
It's because to Microsoft, and undiscovered bug is a nonexistant bug. Their "security" model has always been "security through obscurity". Their philosophy is "why fix a bug if you don't have to?"
And they modded you "funny" but you're absolutely right, sorta, even if a little exagerated; they have more far more dollars than sense. Well, maybe not sense; ethics.
Free Martian Whores!
Just because you got to the destination doesn't mean you're a good driver*.
*this was originally a sandwich analogy, but then I remembered my audience.
which is totally what she said
Wait, it was a joke? I thought it rather insightful!
which is totally what she said
This is bad logic, ivory tower thinking even, they are assuming the entire ecosystem will have their chosen set of corp centric values. You would think they would have learned otherwise by now!
Vulnerabilities will be discovered, sometimes by multiple independent parties. These vulnerabilities are either going to be sold, exploited selectively (corp esp against a chosen target), exploited publicly, reserved for future use or given to the vendor.
The responsible thing is to try to move as many to the latter as possible. The most popular way to do that is with cash.
I am a Linux user since the time you had to compile your own kernel in order to perform an install. :)
I have 7 going on 8 children. My wife uses Linux too.
- Dan.
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
... they were reminded that the user is the biggest security threat to any system. Upon considering their market share they realized how potentially disastrous this would be once anyone with a phone book figured it out.
That's what she said.
...they've spent all their surplus cash paying people who forward Bill Gate's email message to 25 other people.
We all know that security researchers are drama queens. As soon as they find a bug, they want to get a bull-horn out and start crowing about it.
Microsoft on the other hand says that if you don't keep it secret for months or even years then you are a bad person and will try to get you fired.
What they should do is just pay a $100 per day for keeping it secret until the bug is fixed. That way even if you don't get bragging rights, you get a pay check.
Signing a non-disclosure agreement like this is pretty normal. It's a part of most businesses but no one wants to do it for free.
I agree, but my first thought was that Microsoft produces more software than Google and Mozilla combined, which creates a much larger footprint for vulnerability. This, combined with the fact that some of their software is supported for up to 13 years after it's released (Windows XP), means that it very well would cost them a fortune. And by the time they stop supporting their software, attacks which never existed in anyone's wildest wet dreams have appeared, and the 12-year-old software wasn't designed and can't be significantly rearchitected to handle such attacks. A few examples that come to mind are Windows XP and ASLR or IE 6 and ActiveX.
I also think your point that Microsoft wants people doing this for the right reasons holds significant water. Paying someone a bounty provides the wrong motivation because, instead of Microsoft and the researcher being aligned in a common goal to make software safer, the researcher and Microsoft sit at opposite ends of the table because one side wants to maximize, while the other side wants to minimize, the bounty. If the researcher goes in knowing they aren't going to get paid then there's less incentive for viewing Microsoft as a rich organization to be fleeced and more incentive to work together. Unfortunately, it seems that the researchers think they hold more cards than they do and want to get paid a bounty because "everyone else does" and it would be easy money.
Banks do people that find ways to get in their vault legally. They hire people to penetrate (har, har) their security in any way possible, they work with law enforcement and sometimes even criminals to secure both their physical as well as their virtual systems.
What Microsoft needs is first of all a restructuring of the organization - it's hemorrhaging cash, talent and image. Then they need to rewrite Windows and have a transition period where the old is virtualized much like Apple did with Mac OS X a decade ago. Sure it will take them some time but if they're candid enough about it, it will boost their image, people will want to work for them and in the long term it will save them cash. Ballmer is one of the last dinosaurs in that organization that thinks a VMS-based operating system is still up-to-date, just about anyone else in the industry has gone through major rewrites of their systems.
Custom electronics and digital signage for your business: www.evcircuits.com
And yet, free projects like OpenBSD have so many fewer security problems. I have a really, really hard time grasping on what level MS is doing a good job. They typically refuse to acknowledge bugs until they've patched them and insist upon releasing them on patch Tuesdays without giving responsible end users the ability to patch up as soon as the patch is tested.
Yeah, that's a description of a competent organization. Perhaps if things are that complicated they should be removing things like WiMP and IE which have no place in the base system to focus on making things be actually secure.
I wasn't debating whether Linux users have sex, I was pointing out that the original comment was about being good at "doing sex", not about the possibility of having sex. Just because someone is having sex doesn't mean they're good at it. There are plenty of lazy fat people out there.
Of course it was rather poorly worded so the intention could have been either way.
which is totally what she said
So Microsoft is saying that people should voluntary and collectively work on fixing and bettering software for free, without any compensation? Mmmm...
If someone says he and his monkey have nothing to hide, they almost certainly do.
I think the money is better spent on hiring/training more developers/testers than throwing it away on some wild west style campaign to weed bugs. Besides they would get swamped with thousands of duplicate or non existent bugs because SOMEONE WAS DOING IT WRONG, not to mention the "i found it first" and other related lawsuits. Waste of time and money for everyone and you and I the consumers won't benefit one bit. Finding a bug != fixing a bug.
did you forget to take your meds?
Banks do people that find ways to get in their vault legally. They hire people to penetrate (har, har) their security in any way possible ...
The first sentence was a rather nice bit of unintentional humor.
But your point is well-taken: the whole concept of penetration testing was originally taken from the military, which also hires teams to see if they can break their security and leave notes like "code books stolen" if they succeed.
I am officially gone from
Now, pretty please, with sugar on top, kindly Fuck Off And Die already."
There, fixed that for them.
If you were blocking sigs, you wouldn't have to read this.
Microsoft already have more bugs than they know what to do with. They don't need people reporting more :-)
Well good for you! Now if we could just stop Windows users breeding ... ;-)
They hire people to penetrate
Indeed. They pay people to do it, not because they've already done it. ;-)
Ballmer is one of the last dinosaurs in that organization that thinks a VMS-based operating system is still up-to-date
The NT kernel as a bastard stepchild of VMS is really not the cause of any unique-to-MS problems, and MS are experimenting with a major rewrite with Midori if that's really what you're looking for.
NT was the step up from DOS-3.1-95-98-ME becoming mainstream just a little before OS X superceded OS 9 - OS X itself being mostly NeXT work, in turn Mach + BSD + ObjC - in turn standard microkernel theory + Unix + Smalltalk. It's all a nice evolution. I don't see any benefit in making everything another Unix-alike.
Consider the "problem" of the heavy process in a VMS-derived OS. Unix (classically) says, "Let's make fork()ing quick and easy and do everything by forking." NT says, "That's better implemented by threads, with the benefit of full sharing." Midori (and others) ask, "Actually, do we need all these hardware-isolated processes in the first place?" Which is "correct"?
The reality is that $3000 for a really good exploitable bug is cheap.
And most companies paying bounties won't pay you for a DoS you found in e.g. Chrome in 2H spare time, and only if you're lucky for things like data leak.
They're only going to pay for sure if you deliver a full blown with proof of concept and completely documented exploit that let you take over a system.
But here's the trick! Not only those take a long while to do, even for the skilled engineer (heck writing docs and stuff sucks), but $3000 is peanuts. Some companies or evil guys pay $10 000 for these (and no, you can't have the extra $3000 later because they're going to give you a NDA - but you can probably make your friend win the $3000 - that's how it works, he just rewrites what you tell him 3-6month later and on top of that you'll feel better since the bug will actually be fixed)
Researcher: I want $3000 like Google and Mozilla pay.
Microsoft Representative: No.
Researcher: $2000?
Microsoft Representative: No.
Researcher: Could I at least meet Bill Gates?
Microsoft Representative: *sigh*No, anything else?
Researcher: Uhm... lapdance?
Microsoft Representative: Ok fine, we will pay you one lapdance or hentai dvd per bug. That is my only and final offer.
Researcher: DEAL!
It is doubtful that Microsoft's decision was primarily because of what it would actually cost them in payouts.
I agree... we can make fun of how much money this would cost Microsoft, but they can afford it. It is obvious they don't want to for. Some possible reasons:
1) Announcing a paying bug bounty, like Knuth had with TeX, implies the code is so high quality they are looking for the last few issues. But they have a very large attack surface area, and their code is constantly changing.
2) They've spent millions educating their developers and testers over secure coding and testing practices, and to be fair have made good progress. Announcing a paying bug bounty probably irriates the bean counters who are asking, aren't we already paying for people to work on security issues?
3) Cultural issue? Mozilla and Google are willing to do it, and they have extensive experience in free/open source software. Microsoft, not so much.
It is interesting they don't want to do it though.
Finally! Someone used the word "loose" properly. Even if the meaning of the sentence is different than what you intended (I have no way of knowing), it's true nevertheless. They would have indeed loosed big money.
Free Martian Whores!
I'm both an IT geek and have turned into a bit of a fitness buff in the last couple of years.. heh heh :P This article confirms my limited experience.
which is totally what she said
There are various 3rd party research groups that you can sell your exploits too for money. They are legal, moral and assist the targeted companies in getting them fixed (and providing emergency fixes to their clients)...
This doesn't help too much when you find a non-exploitable bug though, or are we only talking about exploitable ones?
Might also have to do with the fact that their products are closed source. Certainly makes it harder to do anything much more than brute force guess-and-check type exploits.
That was the first thing that came to my mind. Though on consideration it would take quite a lot to bankrupt MS.
But the unfortunate thing here is there's already a thriving market for zero-day MS bugs. These get bought and sold already on a daily basis on the underground malware networks. You've already got groups of people that make a living out of finding bugs in your software and selling them on that black market. Instead of letting them sell them to people that are basically your competitors, (or at least your PR antichrists) it makes sense to either hire them or become their best customer. either of which them will either kill or severely depress the market for exploits. Once MS becomes a bidder for the exploits, with its deep pockets, that alone will drive a lot of the malware authors out of business because they will no longer be able to afford to bid on a new zero-day to keep their malware effective as MS gets things patched at a highly accelerated rate.
What they have here is an opportunity, and I can't believe they're going to let it slide. Makes me wonder if someone's ego/pride is driving their decision here, rather than good business sense? Even in the short term I don't see any way that this could be anything but a monetary win. Unless they think (again, in their pride and obstinence?) that they're so big now that they don't need to be bothered with improving their image or reputation anymore. Or maybe they've already considered this and it is unfortunately in their best interest to let their customers twist in the wind rather than spend a few bucks.
I work for the Department of Redundancy Department.
Because they would have to have a system where bugs are identified and tracked.
Telling researcher X that that hole was KNOWN for 2.5 years but not fixed would cause plenty of embarrassment and negative publicity.
For Microsoft, Honest is not the best policy - they are more of a let the dog sleep company, good enough type company.
... do what Marc Maiffret did and turn your affiliation with Microsoft and penchant for finding and addressing vulnerabilities into a profitable career/company. Frankly, I think the credibility he earned goes a heck of a lot further for making money in the long run than a series bounties would. It also further limits any possible muck-rakers from trying to insinuate conflicts of interest.
Also, I am not sure people realize that Microsoft has made leaps and bounds in terms of how they view security/vulnerabilities since the 90's. Going beyond the chuckles: Do they have problems still? Sure, but it's no longer viewed as a marketing problem; they acknowledge it's an engineering problem and have an actual hope in Hades of fixing it compared to a company that once used to treat everything as branding and marketing.
Code softly but carry a big magnet.
Ballmer is one of the last dinosaurs in that organization that thinks a VMS-based operating system is still up-to-date, just about anyone else in the industry has gone through major rewrites of their systems.
Thank you, this sentence made me laugh so hard. It's wrong on so many levels I don't even know where to start with correcting you.
I am TheRaven on Soylent News
...4) MS Customers are happy to pay for bugfixes
I've observed this myself when a consulting firm I worked with suddenly couldn't open an important presentation anymore. The fix cost them iirc around 3500 €. When asking them why they'd stay with a product that would render it's files unusable, they responded that they were actually pretty happy with the response time and the price didn't bother them at all.
I think it ironic that Microsoft is so hard core about capitalism and "paying for software", yet they will not reward those that find bugs. I mean bug finders did the hard work, they tested and retested to prove their theory, and Microsoft wants them to give it to them for free? Oh that is not even the best part. I went to report a bug to MS over the phone guess what they wanted, down payment. You know... just in case it wasnt a bug.
In other shocking news, the sky is blue, water is wet, ice is cold and fire is hot.
"the motivations aren't always financial" is a phrase I've heard before -- mostly from HR departments. It means someone who doesn't care about the product, but rather about making his/her departmental bottom like is running things.
Money never hurts, and moves mountains. Yes, some people do it for free. More people will do it if there's cash. This means Microsoft either wants to:
1. save money (unlikely, but possible at a departmental level)
2. not find bugs (likely -- they take work to fix and cause embarrassment)
3. not have a simple quantifiable number associated with bugs, like "how much did you pay out this year on bug bounties?" so that consumers notice that they have more bugs than anyone else (very, VERY likely)
It's always struck me that vendors ought to be paying researchers for the time they spend working with the vendor to help get a bug fixed, rather than a flat rate for finding a bug. i don't think vendors have any obligation to pay people who find security vulnerabilities for the time they spent finding the bug, but if they want a research to spend time documenting and explaining the bug so they can fix it then they need to compensate that researcher. If there is a flat bounty rate, the researcher can decide how much time they're willing to commit to helping the vendor fix the bug.
When Microsoft says they're not interested in a per-vuln bounty, I don't think that necessarily means they won't compensate researchers, but that the compensation will be based on something other than finding a vulnerability - such as the time the researcher spends helping get the bug fixed.
Banks don't pay people who find ways to get into their vaults.
People who know how to find a way in don't send an invoice.
It's because to Microsoft, and undiscovered bug is a nonexistant bug. Their "security" model has always been "security through obscurity". Their philosophy is "why fix a bug if you don't have to?"
I think it's simpler than that. They're thinking "why pay for a bug report when you don't have to?" They said it themselves, "we don't think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren't always financial." Is there any lack of people willing to expose Windows bugs already?
Property is theft.
I remember reading a Chapter from Freakonomics describing how temporarily imposing an economic contract (X happens, Y dollars change hands) on what had formerly been a social contract (X happens, you should feel proud/guilty) ended up permanently voiding the social contract.
While it's probably the case that MS is some combination of "Afraid bounties would bankrupt them" and "Using obscurity in place of security" and "Everything you don't want to be", I do wonder if they might accidentally be doing the Right Thing. Probably not, of course, but what if Mozilla and Google's Big Bounties actually ended up damaging the motivation of those who search for and report vulnerabilities because it's the right thing to do?
Anyone know how many other companies have substantial vulnerability bounties? Moreover, anyone know if there's any research on possible links between bounty offers and useful reports?
Microsoft - employs some of the brightest and best programmers and designers in the world
Has an entire research arm dedicated to improving their products
Has teams of testers to test and find bugs ... ...and still produces bug ridden, vulnerable software, that is outdesigned by the competition
Puteulanus fenestra mortis
It's because to Microsoft, and undiscovered bug is a nonexistant bug. Their "security" model has always been "security through obscurity". Their philosophy is "why fix a bug if you don't have to?"
Yet they proactively fix bugs and distribute those fixes at no cost. Strange.
Here's a TED talk that could be applied to this situation in support of Microsoft's decision: YouTube - Clay Shirky: How cognitive surplus will change the world
Xbox Achievement Points!!
This article confirms my limited experience.
Of course, gay men also score higher in all these categories.
I think this probably implies a wide variety of things, and from my *many* experiences, I think they're probably all partially true.
-josh
You're over analizing the dynamics of sex
It's not difficult at all
Tab A goes into Slot B
Even a nerd can do it
"Suppose you were an idiot...and suppose you were a member of Congress...but I repeat myself." Mark Twain
There may be a virus out there for that
"Suppose you were an idiot...and suppose you were a member of Congress...but I repeat myself." Mark Twain
Well, my brother is gay. He's a geek, but definitely not into fitness. I have no idea about his attitudes in the bedroom however and I'd rather not find out :p
which is totally what she said
Just publish the bulletins. No reporting or anything. No mercy with M$!
Look, why should MS reverse their model and pay money to bug-finders when their current model has people paying THEM to find bugs?
"The bigger the lie, the more they believe." - Det. Bunk
...from the company that used to charge YOU a huge bill for the "privilege" of sending bug reports?
You haven't specified any measurable criteria for what makes one "better" at sex than another. Thus sucess/failure is a perfectly reasonable delimiter. Multiple successful couplings would imply that the female has bee sufficiently satisfied that there have beeen repeated sessions.
-or-
Dan is a rapist, his wife is against abortion
-or-
All his children have been produced in the lab
0xB315AA8D852DCD3F3DCA578FD2E0BF88
There’s a feeling of futility when you run into a bug in proprietary software. You feel like there's nothing you can do about it so you work around it.
Its such a certain thing that the bug won't be fixed that you code for the existence of the bug even though you know that it will create comparability issues when YEARS LATER the bug is fixed by the next iteration of Windows.
I think that a bit of a sample bias is going to happen in the comments - few Linux users are going to post saying "Yes, I use Linux and I rarely if ever do sex with a girl"
From what I can tell they have little reason to offer such a bounty:
1) Most home users couldn't care less. They view MS's monthly updates as a hassle, not a benefit, and would be much happier if they didn't have to bother with updates at all.
2) Most business purchasers are going to see an increase in security reporting as a disincentive to buy MS products. The people doing (or at least authorising) the purchases tend to be managers rather than IT pros, so more security issues = a worse deal in their mind.
MS's objective is to sell more product, not to release a better product. A "bug bounty" does not benefit them in this respect.
Well, since I was brought up as a pretty fundamental Christian (though I am no longer religious), many of my friends will actually never have sex until after they're married. And then there are some people who value the relationship over the sex. Of course I'm not saying a lot of people are bad at sex, and statistically most people are obviously likely to be average - and it is of course just a natural thing so it's hard to do "wrong" as long as you're not simply getting tired or a clueless n00b.
Feels kinda weird to spell it out, but my criteria for things that contribute to good sex:
My last gf would get tired pretty quickly (probably less than an hour from kissing until she was reportedly satisfied and just wanted to sleep) because she was a lazy bint that ate mostly garbage (though she'd at least be okay to go again after she rested a bit), whereas one of my previous gfs was properly hyperactive and as healthy as me, so we could occupy ourselves for many consecutive hours with mindless physical gratification.. heh. Good times!
which is totally what she said
Fixing product defects is what happens when you ship defective products.
So you think every software vendor ships defective products ?
In the auto or any other industry it's a "recall". You ship a defective product, you have to fix it. You sound like they're doing it out of the goodness of their hearts. Do you work for MS, own stock, or what?
I never even suggested they're doing it for any reason other than good business. The same reason every other vendor fixes their bugs.
Uh, yes, they do.
Well, maybe not the banks themselves, especially not smaller banks, or really any, these days (too little money actually on hand to be worth it), but it's called "penetration testing". I'm sure the vault manufacturers (or whatever they're called, I suspect most vaults are custom-made) are continually thinking of ways that they could be broken into. (Or at least they should be. Wouldn't be a very good company to say "oh, we think it works, but we don't know, we've never actually tested it".)
You see (or you ought to see) penetration testing referred to a bit here on Slashdot--it's quite popular in computer security. Best way to improve your security is to identify its faults.
Perhaps I was too ambiguous with my language. I felt otherwise, but sometimes I guess I overdo it on the nuance.
I said: Banks don't pay people who find ways... (cheekily nonrestrictive "who")
I did not say: Banks don't pay people to find ways...
IOW, banks don't pay people just because they happen to find ways. In general, banks don't pay money to random people on the street, and the person on the street who makes a hobby of finding ways is no exception. They instead pay selected people specifically to go about the task of finding ways.
So you think every software vendor ships defective products ?
Every manufacturer of every product made occasionally ships a defectve product. Nobody's perfect, but some vendors are worse than others.
Free Martian Whores!