Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Says No To Paying Bug Bounties

Posted by timothy on from the like-mel-gibson-in-ransom dept.

Trailrunner7 writes "In the wake of both Mozilla and Google significantly increasing their bug bounties to the $3,000 range, there have been persistent rumors in the security community that Microsoft soon would follow suit and start paying bounties as well. However, a company official said on Thursday that Microsoft was not interested in paying bounties. 'We value the researcher ecosystem, and show that in a variety of ways, but we don't think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren't always financial. It is well-known that we acknowledge researcher's contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update,' Microsoft's Jerry Bryant said."

33 of 148 comments (clear)

  1. Or it could be because they would be bankrupt ... by MeNotU · · Score: 5, Funny

    Or it could be because they would be bankrupt within the week.

  2. Translation: by rah1420 · · Score: 4, Funny

    "we don't think paying a per-vuln bounty is the best way."

    -- er

    "We can't afford the hit to our bottom line if we were to start paying people to find the bugs in our software."

    --
    Mit der Dummheit kämpfen Götter selbst vergebens.
    1. Re:Translation: by ergrthjuyt · · Score: 2, Interesting

      A lot of Microsoft teams have more test engineers than dev engineers. On more mature products, it has been this way for decades now. So your jab, while comical, is far from the truth.

    2. Re:Translation: by Anonymous Coward · · Score: 2, Insightful

      There's worse...

      "We can't afford to get into a bidding war with malware authors."

    3. Re:Translation: by msauve · · Score: 3, Insightful

      Actually, your claim supports his.

      If there weren't lots of bugs to be found, they wouldn't need so many test engineers. Are you trying to claim that all those test engineers find all the vulnerabilities in MS products before release? That would be the truly comical claim.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    4. Re:Translation: by Zironic · · Score: 2, Insightful

      Or just a really big product?

    5. Re:Translation: by ergrthjuyt · · Score: 2, Insightful
      Actually, my claim doesn't support his. He claimed that Microsoft "can't afford" or chooses not to pay people to find bugs in their software. I asserted this was false because of the large number of (well paid) test engineers whose full time jobs are to find bugs.

      Are you trying to claim that all those test engineers find all the vulnerabilities in MS products before release?

      I never even came close to making such a claim. Nice try though.

      If there weren't lots of bugs to be found, they wouldn't need so many test engineers.

      I'm not sure what point you're trying to make. Anyone with even rudimentary exposure to software development or testing theory understands that having tests is not a sign that a product is buggy. Quite the opposite actually.

      The fact is that Microsoft's products are heavily tested and they care a lot about security (backed up with money to pay for testers -- lots of them). This isn't to say that they are perfect or never make bad security design decisions, but any assertion that they don't care about security or bugs is provably false.

    6. Re:Translation: by msauve · · Score: 3, Insightful

      As they say, "the proof's in the pudding." MS has earned a reputation for vulnerabilities in their software. You seem to be equating "bugs" with "vulnerabilities." The latter is a subset of the former. How many of those "large number of (well paid) test engineers whose full time jobs are to find bugs" are focused on discovering new vulnerabilities, as opposed to simply doing regression testing vs. a defined feature set?

      And, since your argument now seems to be that money is not what drives people to find vulnerabilities (which is what MS was arguing, according to the summary, and what the OP was ridiculing), what do you propose drives the "bad guys" to find them?

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    7. Re:Translation: by TheRaven64 · · Score: 2

      If software were built like bridges, then your word processor would be a typewriter.

      --
      I am TheRaven on Soylent News
    8. Re:Translation: by rtb61 · · Score: 2, Insightful

      What happened was M$ went really performance based in their bonus schemes, the more code you produced the more you got paid and the quicker you produced that code the sooner you got your money. Catch with that, performance often does not equal quality and unwittingly they penalised coders who produced well crafted, carefully thought out, compact code (the code you actually want). They did this for long enough to establish bad bloated coding styles as the norm, hence the problem.

      Why M$ wont pay for bug bounties, has slashdot gone quitely loopy. Why would M$ marketdoids pay people to make their products look bad. Oddly enough for open source paying bug bonuses looks good and demonstrates responsibility but, for closed source their marketing claims are that their products are perfect the best software there ever has been and paying bug bonuses directly undermines that claim. With open source the claim is, it is the best we can do and we will continue to work at making it better and be honest about it qualities and faults, so bug bonuses makes real sense.

      --
      Chaos - everything, everywhere, everywhen
    9. Re:Translation: by msauve · · Score: 2, Insightful
      Paying a bounty is paying only for results. You get a validated vulnerability every time you pay, guaranteed. Paying someone a salary to look for vulnerabilities provides no guarantee that you will successfully find one. How many vulnerabilities are found by this "large number of (well paid) test engineers?" Are there 1000 of them (probably many more)? Do they cost MS $100K each (probably much more) per year? Do they find 1000 x $100000 / $3000 = 33333 vulnerabilites each year? Not based on what MS reports for their patches.

      NASA doesn't make the details of their designs available to the general public, nor is there a space vehicle sitting in virtually every home or business which can be examined, so your strawman fails.

      Many people report bugs to Microsoft without compensation, why start paying for them now?

      To find more vulnerabilities, by getting more people involved. Do you think that offering a bounty provides a disincentive, and would result in fewer reports? Mozilla and Google don't seem to think so.

      OTOH, you're probably right about a bounty from MS being a bad thing - if MS were to pay a bounty, they would no doubt make people sign a contract that the vulnerability couldn't be publicly disclosed until a patch was released, then continue to ignore it for as long as they wanted.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    10. Re:Translation: by ergrthjuyt · · Score: 2, Insightful

      Paying a bounty is paying only for results.

      Only if you think reviewing the thousands of "reports" submitted to claim a bounty can be done for free. You could easily spend millions (e.g., ~10 employees) going through the list and not find a single actionable bug. You think every report is going to be a genuine, original vulnerability? Get real.

      Do you think that offering a bounty provides a disincentive, and would result in fewer reports?

      There is substantial evidence from the field of psychology that paying for something displaces the original incentive to do it for free. If Google and Mozilla ever ended their bounty program, their rate of reports is virtually guaranteed to fall below the reporting rate from before the bounty was offered. I encourage you to look at the contemporary research in human motivation.

      NASA doesn't make the details of their designs available to the general public

      ...and you've inadvertently stumbled on the answer, congratulations. Microsoft's programs are closed source, which is an important difference. Their testers can do full white-box vulnerability assessments and will be able to do more than some guy who picked up the DVD at Best Buy.

      You're implying that Microsoft is either stupid or stingy and that they made the wrong call. I'm pretty sure they thought about it longer than you did, with more metrics and research than you have, and just decided it wasn't worth it. Perhaps you should consider this a possibility instead of just assuming you're right.

    11. Re:Translation: by Muad'Dave · · Score: 2, Informative

      As they say, "the proof's in the pudding."

      That's how it has been corrupted over time. The actual quote is, "The proof of the pudding is in the eating."

      From that article:

      "The full proverb is indeed the proof of the pudding is in the eating and proof has the sense of “test” (as it also has, or used to have, in phrases such as proving-ground and printer’s proof). The proverb literally says that you won’t know whether food has been cooked properly until you try it. Or, putting it figuratively, don’t assume that something is in order or believe what you are told, but judge the matter by testing it; it’s much the same philosophy as in seeing is believing and actions speak louder than words.

      The proverb is ancient — it has been traced back to 1300 and was popularised by Cervantes in his Don Quixote of 1605. It’s sad that it has lasted so long, only to be corrupted in modern times."

      --
      Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
  3. ROI by theskipper · · Score: 4, Funny

    "We don't care, we don't have to...we're the operating system company."

    1. Re:ROI by mcgrew · · Score: 2, Informative

      Attribution: Lily Tomlin's "Ernestine the telephone operator", referring to the then monopoly AT&T (We don't care, we don't have to...we're the phone company), for the younger slashdotters who weren't around when AT&T owned every telephone in America (back then you had to rent your phone).

      --
      Free Martian Whores!
  4. Committed to their current strategy by ICLKennyG · · Score: 2, Funny

    About 15 years ago they made a long term investment to running their image into the ground so people would hate them so much that they would be willing to find the bugs for free. It's been working well for a long time, and at this point they have already written the check, why switch.

    Microsoft sucks! I'll prove it, look at this random arbitrary glitch in the way they handle SMTP requests.

    Thank you very much, fixed. Next!

    Crazy like a fox (news anchor).

  5. Interesting... by fuzzyfuzzyfungus · · Score: 5, Insightful

    There are certainly downsides to the bounty approach(once you put money on the table, priority disputes turn from prima donna drama bullshit into actual-with-lawyers drama shit; not to mention the hideous quibbling about exactly what constitutes a "vulnerability", how severe it is, and so forth).

    On the other hand, handing out hard cash, in addition to credit, can certainly be motivational(yes, the monetary rewards on the criminal side will always be better; but I'd wager that there are a lot of people who would take 'steady job with some research firm, at dev/analyst pay levels+occasional fun money bounties+credit, all legal' over 'substantial monetary rewards, clandestine work for unsavory and occasionally downright problematic characters, nontrivial legal exposure'), and one might expect that MS, with their formidable war chest and serious security issues(both actual and perception-based) would find a way of converting fairly modest amounts of money into additional security. Particularly since(with the exception of Google's pet projects, and maybe a handful of other high-profile OSS projects) they could easily afford to bid better for vulnerability reports that team FOSS could, which would seem like a natural marketing bullet point...

    1. Re:Interesting... by iamhigh · · Score: 4, Insightful

      It's also a little disingenuous to compare MS to Google here. The attack surface area is at least much different; Google worries about what comes over a few ports; MS worries about that, plus locally run malware, not to mention supporting a million hardware devices and all the extras that running a generic use OS.

      How about we compare MS to Apple - and neither pays for bug/vulnerability finds.

      --
      No comprende? Let me type that a little slower for you...
  6. Re:Or it could be because they would be bankrupt . by Anonymous Coward · · Score: 3, Funny

    Microsoft: As good at security as Linux users are at doing sex with girls

  7. in after 3000 "HURR it would bankrupt them" jokes by FuckingNickName · · Score: 2, Insightful

    They're right. Banks don't pay people who find ways to get into their vaults.

    You're going to get better results by employing researchers with an interest in computer security. Unfortunately, these are hard to find, and most people claiming to be in "IT security" are actually just PR handwavers, egotists and people who know how to install Snort and write a few lines of Perl (I'm tempted to identify a few fairly well-known people by name, but you never start a fight with an idiot with a hammer and a conviction on appropriateness to use it...).

    Fortunately, MS has the resources to find, pay and provide the right environment for such people. Hell, it has a research group which dwarfs Google in terms of variety of output and leaves Apple holding the baton wrongly at the starting line. I'm not sure it interfaces these people optimally with its mainstream operations (the whole "executive project sponsorship" thing is very political), but it has a great basis.

  8. Re:Or it could be because they would be bankrupt . by ergrthjuyt · · Score: 2, Insightful

    Or it could be because they would be bankrupt within the week.

    But why? It's not like there's likely to be millions and millions of bugs that Microsoft doesn't already know about. Bounties are only awarded for previously unreported bugs, otherwise there would be no limit to how much anyone could collect from the company. It is doubtful that Microsoft's decision was primarily because of what it would actually cost them in payouts.

  9. Re:Or it could be because they would be bankrupt . by Anonymous Coward · · Score: 5, Funny

    as well witnessed by the linux user who refers to it as "doing sex"

  10. Re:Or it could be because they would be bankrupt . by Anonymous Coward · · Score: 3, Funny

    Oh, we don't think it was immaculate...

  11. Re:Or it could be because they would be bankrupt . by mcgrew · · Score: 5, Insightful

    It's because to Microsoft, and undiscovered bug is a nonexistant bug. Their "security" model has always been "security through obscurity". Their philosophy is "why fix a bug if you don't have to?"

    And they modded you "funny" but you're absolutely right, sorta, even if a little exagerated; they have more far more dollars than sense. Well, maybe not sense; ethics.

    --
    Free Martian Whores!
  12. It was all well and good until... by bsDaemon · · Score: 4, Funny

    ... they were reminded that the user is the biggest security threat to any system. Upon considering their market share they realized how potentially disastrous this would be once anyone with a phone book figured it out.

  13. Re:Not enough money in the world by hedwards · · Score: 3, Insightful

    And yet, free projects like OpenBSD have so many fewer security problems. I have a really, really hard time grasping on what level MS is doing a good job. They typically refuse to acknowledge bugs until they've patched them and insist upon releasing them on patch Tuesdays without giving responsible end users the ability to patch up as soon as the patch is tested.

    Yeah, that's a description of a competent organization. Perhaps if things are that complicated they should be removing things like WiMP and IE which have no place in the base system to focus on making things be actually secure.

  14. Re:I wouldn't pay either by drinkypoo · · Score: 2, Interesting

    I think the money is better spent on hiring/training more developers/testers than throwing it away on some wild west style campaign to weed bugs.

    This is a false dichotomy. They have lots of other options, for example they could throw the money down the hole that is Microsoft's entertainment division, which has so far lost them billions of dollars.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  15. Re:Or it could be because they would be bankrupt . by thoth · · Score: 4, Insightful

    It is doubtful that Microsoft's decision was primarily because of what it would actually cost them in payouts.

    I agree... we can make fun of how much money this would cost Microsoft, but they can afford it. It is obvious they don't want to for. Some possible reasons:

    1) Announcing a paying bug bounty, like Knuth had with TeX, implies the code is so high quality they are looking for the last few issues. But they have a very large attack surface area, and their code is constantly changing.

    2) They've spent millions educating their developers and testers over secure coding and testing practices, and to be fair have made good progress. Announcing a paying bug bounty probably irriates the bean counters who are asking, aren't we already paying for people to work on security issues?

    3) Cultural issue? Mozilla and Google are willing to do it, and they have extensive experience in free/open source software. Microsoft, not so much.

    It is interesting they don't want to do it though.

  16. Re:not surprising by mcgrew · · Score: 3, Funny

    Finally! Someone used the word "loose" properly. Even if the meaning of the sentence is different than what you intended (I have no way of knowing), it's true nevertheless. They would have indeed loosed big money.

    --
    Free Martian Whores!
  17. Re:Or it could be because they would be bankrupt . by v1 · · Score: 4, Insightful

    That was the first thing that came to my mind. Though on consideration it would take quite a lot to bankrupt MS.

    But the unfortunate thing here is there's already a thriving market for zero-day MS bugs. These get bought and sold already on a daily basis on the underground malware networks. You've already got groups of people that make a living out of finding bugs in your software and selling them on that black market. Instead of letting them sell them to people that are basically your competitors, (or at least your PR antichrists) it makes sense to either hire them or become their best customer. either of which them will either kill or severely depress the market for exploits. Once MS becomes a bidder for the exploits, with its deep pockets, that alone will drive a lot of the malware authors out of business because they will no longer be able to afford to bid on a new zero-day to keep their malware effective as MS gets things patched at a highly accelerated rate.

    What they have here is an opportunity, and I can't believe they're going to let it slide. Makes me wonder if someone's ego/pride is driving their decision here, rather than good business sense? Even in the short term I don't see any way that this could be anything but a monetary win. Unless they think (again, in their pride and obstinence?) that they're so big now that they don't need to be bothered with improving their image or reputation anymore. Or maybe they've already considered this and it is unfortunately in their best interest to let their customers twist in the wind rather than spend a few bucks.

    --
    I work for the Department of Redundancy Department.
  18. This is what microsoft believes should be free by jhoegl · · Score: 3, Insightful

    I think it ironic that Microsoft is so hard core about capitalism and "paying for software", yet they will not reward those that find bugs. I mean bug finders did the hard work, they tested and retested to prove their theory, and Microsoft wants them to give it to them for free? Oh that is not even the best part. I went to report a bug to MS over the phone guess what they wanted, down payment. You know... just in case it wasnt a bug.

  19. Re:Or it could be because they would be bankrupt . by mqduck · · Score: 2, Insightful

    It's because to Microsoft, and undiscovered bug is a nonexistant bug. Their "security" model has always been "security through obscurity". Their philosophy is "why fix a bug if you don't have to?"

    I think it's simpler than that. They're thinking "why pay for a bug report when you don't have to?" They said it themselves, "we don't think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren't always financial." Is there any lack of people willing to expose Windows bugs already?

    --
    Property is theft.
  20. Re:Or it could be because they would be bankrupt . by somersault · · Score: 2, Funny

    Well, my brother is gay. He's a geek, but definitely not into fitness. I have no idea about his attitudes in the bedroom however and I'd rather not find out :p

    --
    which is totally what she said