Slashdot Mirror

← Back to Stories (view on slashdot.org)

Does Microsoft Need Bug Bounties?

Posted by Soulskill on from the how-deep-are-their-coffers dept.

Gunkerty Jeb writes "The threats and attacks may have changed in the last decade, but one thing has remained constant: software giant Microsoft doesn't pay for vulnerabilities. Never has. Never will. Even as rivals like Mozilla and Google have introduced bug bounty program, the Redmond giant has stuck doggedly with a position it articulated almost a decade ago, refusing to offer monetary rewards for information on software holes. But security experts say that position may have to change."

100 comments

  1. A Fundamental Problem with This Suggestion! by eldavojohn · · Score: 5, Interesting

    Even as rivals like Mozilla and Google have introduced bug bounty program, the Redmond Washington giant has stuck doggedly with a position it articulated almost a decade ago, refusing to offer monetary rewards for information on software holes. But security experts say that position may have to change.

    Here is the source for Mozilla projects. Here is the source for Google Chrome. And where do I find Internet Explorer's source code? Oh, right. Well, I'm sure if they truly wanted my help making their browser better and more secure, they'd be okay with letting me take a peek at the source code. How can they start a bug bounty program when they won't even trust the community with seeing their code?

    To put it another way: when you practice security through obscurity, offering monetary incentives for bug discovery is not a financially sound decision.

    Furthermore, there have been times when a bug submitted to Google was deemed not a bug and a discussion ensued why that was with the source code referenced. I believe Microsoft could just say, "Oh, sorry, we don't owe you anything for discovering that feature but since you can't see the source code you'll have to take our word for it."

    Microsoft doesn't need bug bounties. They need to achieve the prerequisite of code inspection before they can even consider putting their money where their mouth is.

    --
    My work here is dung.
    1. Re:A Fundamental Problem with This Suggestion! by Anonymous Coward · · Score: 0

      BAM!!!

    2. Re:A Fundamental Problem with This Suggestion! by bsDaemon · · Score: 2

      I'd venture to guess that the majority of vulns are found using a debugger/disassembler such as Ole, IDA, or WinDBG rather than looking at the source code. The source can lead you only so far. The binary is what matters. Check out the ABO exercises some time, just as an example. Just saying.

    3. Re:A Fundamental Problem with This Suggestion! by Anrego · · Score: 3, Insightful

      On a serious note, I don't even think Microsoft releasing the code at this point would be a good thing by any means.

      When something starts out open source.. it's great. The obvious bugs get found while people are still playing with it. IE is in heavy production use ... if you just just open it up at this point in the game you'd probably get an enormous influx of security holes.

    4. Re:A Fundamental Problem with This Suggestion! by ArsonSmith · · Score: 2

      ...you'd probably get an enormous influx of security holes.

      Small nit-pick: You already have the security holes now for free, this would just help in pointing them out.

      --
      Paying taxes to buy civilization is like paying a hooker to buy love.
    5. Re:A Fundamental Problem with This Suggestion! by PickyH3D · · Score: 2

      Ah yes, the infamous, "everyone else is doing it argument."

      Suggesting that the only source of security with IE, the team that originated the idea of sandboxed browsers, which only Chrome matches, is a bad joke.

      Turning the talk of a bug bounty program into a discussion on open versus closed source is just as bad.

      People are not finding the major security vulnerabilities in these browsers by sifting through their source code; they are doing it by using fuzzing and similar debugging techniques designed to break the browser in question.

    6. Re:A Fundamental Problem with This Suggestion! by Anonymous Coward · · Score: 0, Insightful

      You do realize that most bugs and vulnerabilities are not found by looking at source code, right? Oh right, you're just another one of those "many eyes on the source" morons that ignores the countless bugs and security vulnerabilities that have slipped past these mythical many eyes (Debian OpenSSL fiasco, UnrealIRCD trojan, malware infested packages signed with Red Hat's own private key, etc).

    7. Re:A Fundamental Problem with This Suggestion! by Anonymous Coward · · Score: 0

      You can never be as efficient at debugging with only the binary available. You need both the sources and the binary. The binary shows only what is actually happening but the sources show the intent of the programmer. It is the mismatch between the two that causes bugs.

    8. Re:A Fundamental Problem with This Suggestion! by Hal_Porter · · Score: 2, Insightful

      This reminds me of a funny quote from Undocumented Dos on getting access to the complete Dos source code. You couldn't but you could get a mix of source, binaries (.obj) and debugging information (symbol values) for the binaries if you paid a few thousand dollars for the OEM Adaptation Kit or something like that. The authors of Undocumented Dos opined "That's almost as good as source code - the only thing it is missing is the comments which are probably misleading anyway"

      With that in mind here's how to get symbols for Microsoft binaries

      http://support.microsoft.com/kb/311503

      It's worth pointing out that people don't debug non trivial things by staring at source code - they debug the binary using a debugger. If you have symbols, you can do that.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    9. Re:A Fundamental Problem with This Suggestion! by Anonymous Coward · · Score: 0

      So, the problem is, does "open source" create a better, more secure, more stable product?

      I think the verdict will be a long time coming because I still see significant patches, updates and problems with open source software as with Microsoft's code.

      I tire of the argument that because the "other" guys products are open they are somehow better then closed source products. Currently I am finding Chrome to be a resource hog and is causing significant problems on my system. Using IE 9 on the same system is fast and peppy. Not sure if this just a side-effect of something new Google is doing in the latest Chrome, but lets face it, if IE 9 is actually performing better then Chrome, obvious the boys in Redmond know what they are doing.

      Also, how open is open source? You think Google is just going to let you fix a bug and check in the code? Create some new exciting feature for Chrome? No fucking way. The biggest myth about open source is that it is community built. IT IS NOT! Mozilla, Google, Linus, they have have a death grip on their "open source" and while you might feel happy being able to look at the code and learn from it, maybe even feel you can contribute a little towards it, good luck trying to making any influence or change in the direction of one of the products produced by these guys.

      I think the biggest presumption in open source is that the average Joe programmer living in their parents basement can produce better more stable and secure code then the boys getting payed hundreds of thousands a year. Bull Fucking Shit. Microsoft doesn't need peer reviews from the average geek any more then Google or Mozilla do. The only difference is Microsoft is the only honest company saying they don't need community support for their software while Google and Mozilla pretend to be including the open source community letting people believe they have some kind of impact on those products.

      How deluded are you to believe you can change or improve Chrome or FireFox. The open source community is a collection of assholes who don't believe their code ever stinks.

    10. Re:A Fundamental Problem with This Suggestion! by bsDaemon · · Score: 2

      If you plan on fixing bugs, the source is great. If you plan on exploiting bugs, it doesn't really matter. I may be in a security research department at well-know network security company based on a popular open source tool and not just someone talking completely out of my ass. Again, just saying.

    11. Re:A Fundamental Problem with This Suggestion! by Anonymous Coward · · Score: 0

      Talk about opinions being like assholes. If you don't like open source, guess what? You don't have to use it. Is this a great country or what? P.S. This website runs is hosted on Linux. Don't let the door hit ya...

    12. Re:A Fundamental Problem with This Suggestion! by Daengbo · · Score: 1

      What Microsoft really needs to do is to stop ignoring vuln reports for six months or a year, only to label the researcher a criminal when he/she finally goes public with it. "Responsible Disclosure" my ass!

      --
      Put identity in the browser.
    13. Re:A Fundamental Problem with This Suggestion! by Anonymous Coward · · Score: 0

      And just how the f*ck would you know? Been looking at the code again lately? Besides, can't a person get an MS developers account, pay serious money, swear to not let anybody who's anybody know about what you found, understand spaghetti code, and get the source code?

    14. Re:A Fundamental Problem with This Suggestion! by mysidia · · Score: 1

      Oh, right. Well, I'm sure if they truly wanted my help making their browser better and more secure, they'd be okay with letting me take a peek at the source code

      It's called Microsoft Shared Source Initiative

      You just have to meet certain pre-requisites: you need to be an enterprise with 1500 licensed windows seats, sign a big fat NDA, and intend to use the source code for an eligible reason.

    15. Re:A Fundamental Problem with This Suggestion! by cavreader · · Score: 1

      You have to admit that "open source" evangelists sometimes get a little carried away when singing the praises of open source projects. Like the some of the previous posts mentioned hunting for bugs by reading the source code rarely produces any results. Having an "open mind" is much more valuable than just using "open source". In 25 years of development the one thing I have learned above anything else is you should always chose the right tool for right job when building systems. Closed Source, Open Source, Linux , and Windows all have their places.

    16. Re:A Fundamental Problem with This Suggestion! by MaDeR · · Score: 1

      "good luck trying to making any influence or change in the direction of one of the products produced by these guys."
      Ever heard about "forks"? They were already executed many times when majority of community did not like direction where project was going. So, as true AC, you spew crap.

      --
      What modern Obelix would say today? Of course, "Those crazy Americans!".
    17. Re:A Fundamental Problem with This Suggestion! by torsmo · · Score: 1

      I have a deep suspicion this article ws posted to give a boost to the +4 Funny market.

  2. They'd be gone in a week by SheeEttin · · Score: 4, Funny

    Are you kidding? If Microsoft paid for every bug in Windows, they'd be bankrupt in a week!

    1. Re:They'd be gone in a week by 0123456 · · Score: 5, Insightful

      And a lot of bugs can't be fixed because old applications rely on them and people only buy Windows for backwards compatibility.

      When I was writing Windows video drivers years ago we had to deliberately put bugs into our drivers to match the bugs in the stanadrd Windows drivers because various popular applications would fall over without them.

    2. Re:They'd be gone in a week by softWare3ngineer · · Score: 1

      CSS works the same way in all windows browsers for the same reasons.

    3. Re:They'd be gone in a week by Anonymous Coward · · Score: 0

      "If Bill Gates had a nickle for every time Windows crashed... Oh wait, he does." -- Steve Wright

    4. Re:They'd be gone in a week by plopez · · Score: 2

      You're right. They're cash position has been slowly degrading and sales are not what they used to be. What is telling is that they got hit by this last depression harder than Apple. They are tied to businesses and home markets, both vulnerable to economic down turns. Apple sells many low priced things, music downloads and low end iPods are examples, that they have actually been growing. MS has been losing market share as well to Linux and Apple. The slow squeeze is on and there seems to be no equivalent of Lou Gertzner (the CEO who turned IBM around) at MS.

      --
      putting the 'B' in LGBTQ+
    5. Re:They'd be gone in a week by KingMotley · · Score: 2

      Perhaps you need to review Microsofts financials before saying such silly things. 2009 was the only year in which sales went down, 2010 they increased by 7%, and so far expectations are that they will increase by 15% (approximately).

      Date / Sales / Growth
      June 30, 2011 $71.85B 15% (estimated)
      June 30, 2010 $62.48B 7%
      June 30, 2009 $58.44B -3%
      June 30, 2008 $60.42B 18%
      June 30, 2007 $51.12B 15%
      June 30, 2006 $44.28B 11%
      June 30, 2005 $39.79B 8%
      June 30, 2004 $36.84B 14%
      June 30, 2003 $32.19B 13%
      June 30, 2002 $28.37B 12%
      June 30, 2001 $25.30B 10%

    6. Re:They'd be gone in a week by Darinbob · · Score: 2

      Stop being so anti-Microsoft. It would take a month at least for them to go bankrupt this way.

    7. Re:They'd be gone in a week by Anonymous Coward · · Score: 0

      open source sounds like a good idea initially, which is why i have been using it since 1997. the downside of open source is well, look at facebook.. 16 million users just in mafia wars. all because of open id and open source principals.

      having watched open source become a larger power than microsoft in servers and desktops for 'no longer supported' versions of windows. well it is a bit scary. i use open source myself best 'for free' rescue software. but i no longer keep devices powered up constantly and i haven't tried converting any of my family. except for firefox and open office under windows...

      thing is i always switched to open source when windows was failing on me.

    8. Re:They'd be gone in a week by mysidia · · Score: 1

      Are you kidding? If Microsoft paid for every bug in Windows, they'd be bankrupt in a week!

      They could adopt a policy of paying $100 each to the top 500 people each week by number of confirmed vulnerabilities.

  3. They would certainly end up by jitterman · · Score: 1

    paying out the nose, but that wouldn't be a terrible thing if it helped their products.

    --
    For conscience is the wound, and there's naught to staunch it
  4. Can MS afford bug bounties? by gstrickler · · Score: 1

    As many bugs as they have, it could put a dent in their profits.

    --
    make imaginary.friends COUNT=100 VISIBLE=false
    1. Re:Can MS afford bug bounties? by blair1q · · Score: 1

      A dent.

      But shortly they'd have very few bugs, and still have something to sell.

      And then it'd be worth the money. Maybe more. Likely more.

      And they'd soon be even richer.

      So bug bounties would be a wise investment.

  5. Why by Anonymous Coward · · Score: 0

    Now why would they do that since they have their users paying for the right to use questionable software (using nice terms).

    Frank

  6. Hard to even submit MS bugs. by rocketman768 · · Score: 1

    I was trying to submit a Windows 7 bug report last week and found it damn near impossible. It's like they would rather pay you to NOT submit bugs.

    1. Re:Hard to even submit MS bugs. by 0123456 · · Score: 2

      It's like they would rather pay you to NOT submit bugs.

      That's a lot cheaper than fixing them.

    2. Re:Hard to even submit MS bugs. by Anonymous Coward · · Score: 0

      Microsoft's consumer products are difficult to submit bugs for, for obvious reasons (MS users are total idiots). But their developer tools (.NET, VS (compilers&IDE), DX, etc) all have standard reporting processes. https://connect.microsoft.com/directory/

    3. Re:Hard to even submit MS bugs. by blair1q · · Score: 1

      Any time a process goes tits-up on my machine, it reports that it's checking for a solution to the problem, then that it's reporting the problem.

      That's not the same as being able to report that I don't like the way they've mis-implemented a feature, but it makes reporting crash-bugs painless.

      I don't recall hearing of Linux or OSX phoning home to say it crashed. Where did MS get the idea?

    4. Re:Hard to even submit MS bugs. by peragrin · · Score: 1

      OSX with 10.4 has had Crash reporter.

      when safari crashes a dialog box comes up that says close(and the app quits), reopen, or report.

      I always click close, and the reopen after the memory clears.

      When running both firefox and safari for several weeks at a time I find that I have to close both wait 2 mintues for the system to clear the memory blocks and reopen. everything returns to normal speed after that.

      --
      i thought once I was found, but it was only a dream.
    5. Re:Hard to even submit MS bugs. by blair1q · · Score: 1

      I wish Firefox would be a little smarter about that. It's annoying to try to open an app, have it tell you that it's already running, then have to close that message box and open the app again. I've never seen the message appear on the second open, no matter how quickly I attend to it, so why doesn't the dialog just say "wait a second while we clean up in here"?

    6. Re:Hard to even submit MS bugs. by Anonymous Coward · · Score: 0

      I don't. Normally you can either force close the process or 'check for a solution.' If a system debugger is registered then you can additionally attach to the suspended process.

      Are you sure you don't mean crashed Microsoft processes (explorer.exe, ...)?

      As for phoning home, it's the only reliable way to get end users to send crash dumps.

    7. Re:Hard to even submit MS bugs. by peragrin · · Score: 1

      The only reason I know is because I usually am running utility monitor and watch it take firefox and safari an extra minute or so to quit. Heck even just running a memory manager you can wait for it to drop drastically and then you know firefox has been unloaded.

      --
      i thought once I was found, but it was only a dream.
    8. Re:Hard to even submit MS bugs. by blair1q · · Score: 1

      Any insight as to what Firefox is doing with that time? Garbage collection would be pointless after a termination signal. All the config stuff seems to be persistent the moment it's modified. Cached info being stored? Maybe. Running mass quantities of heavyweight destructors may be the bottleneck, depending on how they've chosen to implement solutions to their famous memory-leakage problem. It's clear they don't have a "we're quitting, just drop it and walk away" policy for a lot of their objects.

    9. Re:Hard to even submit MS bugs. by netdigger · · Score: 0

      They almost would. Just imagine how many error reports they get. I really wouldn't want to deal with all of that.

      And then think of how much they have to spend on creating updates to fix the bugs. I don't know about you, but I just installed 7 of them for various things.

  7. They are paying one way or another by softWare3ngineer · · Score: 1

    They are already paying for their bugs anyway...or at least their consumers are.

  8. You say that like its a bad thing. by Fujisawa+Sensei · · Score: 0

    I can wish.

    I would love to see both M$ and Sony complete liquidated.

    --
    If someone is passing you on the right, you are an asshole for driving in the wrong lane.
    1. Re:You say that like its a bad thing. by pandrijeczko · · Score: 1

      Why?

      Just do like I do and don't use or buy their stuff.

      I don't "hate" either company because what they do or make is pretty much irrelevant to me, but if other people like and pay for their products then that's their choice and good luck to them.

      They're just ***COMPANIES*** making stuff, not ***RELIGIOUS ORDERS***.

      --
      Gentoo Linux - another day, another USE flag.
  9. Guess what Microsoft? by Jailbrekr · · Score: 3, Insightful

    There is good money to be had selling discovered vulnerabilites. If you keep refusing to offer a bounty, they'll happily find someone else to pay for its discovery.

    --
    Feed the need: Digitaladdiction.net
    1. Re:Guess what Microsoft? by Anonymous Coward · · Score: 0

      If you keep refusing to offer a bounty, they'll happily find someone else to pay for its discovery.

      Exactly. There is a flourishing black market of windows exploits. It's there since more than ten years and vulnerabilities are sold and bought every minute.

  10. #3) Penetrate and Patch by Shompol · · Score: 1, Interesting

    The Six Dumbest Ideas in Computer Security

    1. Re:#3) Penetrate and Patch by VortexCortex · · Score: 1

      The Six Dumbest Ideas in Computer Security

      No no... It's not a dumb Idea, well, not initially anyway, but you got it wrong, it's: Penetrate the patch.

      The problems arise if you keep at it for long enough...

    2. Re:#3) Penetrate and Patch by Anonymous Coward · · Score: 1

      That's the most retarded thing I've ever read. It essentially says that you're code shouldn't ever have bugs... this is reality, bugs exists even in good code.

    3. Re:#3) Penetrate and Patch by Anonymous Coward · · Score: 1

      can someone nuke this parent post from orbit. tia.

    4. Re:#3) Penetrate and Patch by Anonymous Coward · · Score: 0

      I've written many programs with no bugs in them at all. Bugs happen as program complexity increases and/or the number of programmers increase. I've written entire games for WP7 using the XNA Framework that were bug-free. The desired functionality was clear and the implementation was orderly and planned. Everything worked as desired. I achieved this by working top-down and bottom-up and testing every feature as it was implemented. The only bugs I introduced were usually caused by erroneous logic or backwards signs. Those were quickly discovered and fixed when I ran the game on the emulator and observed the results.

      A lot of people seem to confuse functionality with bugs. Desired features not being implemented or a UI widget not being where you want it doesn't constitute a bug. If the UI widget is not where the programmer indented it, then that's a bug. And it should be very easily fixed before the code ever gets checked into production.

      Bugs that cause a program to crash because some unintended execution path was taken have absolutely no excuse to exist. I think they're more indicative of poorly thought-out design or a poor programmer. If you have issues like these in your code, you're doing something wrong.

    5. Re:#3) Penetrate and Patch by Anonymous Coward · · Score: 0

      Excellent link, thanks!

    6. Re:#3) Penetrate and Patch by Jailbrekr · · Score: 3, Insightful

      Correction, no *known* bugs. There is no such thing as "bug free". Did you factor in the framework? The OS? I thought not.

      --
      Feed the need: Digitaladdiction.net
    7. Re:#3) Penetrate and Patch by MaDeR · · Score: 1

      This article is detached from reality. While he had valid points, gems like "Unless your system was supposed to be hackable then it shouldn't be hackable" are just ludicrous. What the fuck he want, totally rewrite entire system after each detected security hole??

      --
      What modern Obelix would say today? Of course, "Those crazy Americans!".
    8. Re:#3) Penetrate and Patch by MaDeR · · Score: 1

      "I've written many programs with no bugs in them at all."
      Aren't you fucking genius.

      --
      What modern Obelix would say today? Of course, "Those crazy Americans!".
  11. In Soviet Microsoft.... by jhoegl · · Score: 1, Flamebait

    In Soviet Microsoft, you PAY them to report bugs.
    No seriously, if you are a lowly person that found and confirmed a bug, you have to pay them to talk to them.
    So yeah... Fuck Microsoft.

  12. Misleading summary??? by Anonymous Coward · · Score: 0

    Vendors give away the vulnerabilities at no extra charge.

    Whether they'll pay you to tell them where they are or not is the question.

  13. Why bother? by Spazmania · · Score: 2

    Why pay bug bounties when you have a large backlog of unfixed bugs that were reported to you for free?

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
    1. Re:Why bother? by Riceballsan · · Score: 1

      That is a very good point, generally when a security vulnerability is found in windows, it's usually determined to be a bug carried over from windows XP that was reported 7 years ago.

    2. Re:Why bother? by mysidia · · Score: 1

      Why pay bug bounties when you have a large backlog of unfixed bugs that were reported to you for free?

      So you can make the 'bounty submitters' sign an agreement not to reveal the vulnerabilities they discover, or the fact they discovered a vulnerability; for fixing at your leisure.

  14. I found a bug in BASIC V2 by cpu6502 · · Score: 0

    POKE781,96:SYS58251 makes my screen do funky things.

    --
    My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
    1. Re:I found a bug in BASIC V2 by sexconker · · Score: 1

      POKE781,96:SYS58251 makes my screen do funky things.

      Never caught that one.
      Is it like MISSINGNo. ?

    2. Re:I found a bug in BASIC V2 by Anonymous Coward · · Score: 0

      It's an easter egg from C=64 BASIC. My question is, is it really in MS-BASIC v2? That would imply some dirty-hands reverse engineering (or outright copyright infringement.)

  15. Don't know about Bounties... by 93+Escort+Wagon · · Score: 1

    But Microsoft could definitely use more Fletcher Christians and fewer Captain Blighs.

    --
    #DeleteChrome
  16. MS bug-submission form by davidwr · · Score: 5, Funny

    Microsoft Bug Submission Form

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:MS bug-submission form by Anonymous Coward · · Score: 0

      Funny, my ass. This is insightful!

  17. Microsoft has always dealt with bugs as a PR issue by Black+Art · · Score: 1

    Since Microsoft has a habit of ignoring the issues that get reported without a bounty, I don't see how adding one would improve the issue.

    One of the reasons for Full Disclosure is to pressure companies that think of security vulnerabilities as a PR problem instead of an urgent technical issue. If the first reaction you get from a company is "this only effects a small handful of users" then they are trying to patch through spin instead of fixing the problem. Microsoft is not the only one that does this, but they have been one of the biggest offenders.

    BTW, "this only effects a small handful of users" has been used by Microsoft so many times that they have grounds to trademark the phrase.

    --
    "Trademarks are the heraldry of the new feudalism."
  18. What about a different kind of bounty? by VortexCortex · · Score: 1

    What if, instead of Microsoft sponsoring bounties for bugs in Microsoft code, we all just started a pool ourselves to fund a bounty for Microsoft coders?

    It doesn't cost that much, surely someone must know a guy who knows a guy?

    Clearly, since we can't fix the bugs ourselves, the most efficient solution is to make sure no more bugs can be introduced... Let's end the problem at it's source!

    1. Re:What about a different kind of bounty? by couchslug · · Score: 1

      Why do I want to help a company which I regard as an enemy?

      I don't want them to improve, I want them to fail, badly.

      --
      "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
    2. Re:What about a different kind of bounty? by Anonymous Coward · · Score: 0

      Get a life, pathetic troll.

  19. Microsoft is not serious about its products. by VickySlashdot · · Score: 1

    I think we should give Microsoft Time to work on Security venerabilities. As already by weeks the software updates have maxed hard drive space and performance is lowering. What is wrong is that the software originally is not made always secure of threats only accidents and patches that all.

  20. Wow that's surprising by smbell · · Score: 1

    People who find bugs in software say Microsoft should pay people who find bugs in their software. News at 11.

    1. Re:Wow that's surprising by Anonymous Coward · · Score: 0

      "News at 11."

      It's *Film* at 11. Film, I say!
      http://en.wikipedia.org/wiki/Film_at_11

  21. Bugs benefit them by Anonymous Coward · · Score: 0

    So long as Microsoft has a monopoly or heavy leverage in an area many of the bugs may benefit them:
    Monopoly = "de-facto Standard"
    Bugs = unpublished interface behaviour
      = vendor lock-in.

    This may be considered part of the reason MS has been a drag on the advancement of technology for at least a decade.

    p.s. Gates' incredible philanthropy makes me more willing to forgive.

  22. It's not just a practicality question by dkleinsc · · Score: 4, Insightful

    It's also a philosophical question. Microsoft as an organization believes that the best possible way of producing software is to hire the smartest programmers you can get your hands on, give them a carefully honed specification designed by the best marketing and UI people you can get their hands on, directed by the best management you can get their hands on, and have them go to work. And if you're Bill Gates, this really does seem like the right way to do business.

    The trouble is:
    1. You can't get your hands on all the smart people in the world.
    2. Even if you could, enough people hammering at software in every way imaginable has a way of uncovering problems that the smart guys hadn't even thought of. I'm talking about stuff like "I didn't know that they were going to try to use some sort of wildly different equal sign Unicode code point from Cyrillic instead of a UTF-8 '='". That makes the population of users a much better source of uncovering obscure bugs than the best QA team could ever manage.
    3. Linus's Law suggests that when somebody uncovers these sorts of obscure bugs, there's somebody in the world who could figure it out pretty easily. Using my earlier example, chances are that in the whole of Russia, there's somebody who really is interested in Unicode in a way that no sane person ever would be, and because of that developer's familiarity with Unicode and Cyrillic is going to have a good idea how to fix the bug in the best way possible. It may not be perfect right off the bat, but it will be started in the correct way because the person in question has the exact specialized knowledge needed to solve the problem. So the population of programmers not working for Microsoft is going to outperform Microsoft's programmers by sheer numbers if nothing else.
    4. ESR pointed out that the guy in Russia interested in Unicode is far more motivated to fix a hypothetical Cyrillic Unicode bug than a programmer working in the bowels of Microsoft's headquarters, because it's a bug that affects them directly in a field they care about.

    In other words, Microsoft can't win these kinds of fights, but they can't give up the belief that they can win these kinds of fights. Hence they won't change, no matter how much they should.

    --
    I am officially gone from /. Long live http://www.soylentnews.com/
    1. Re:It's not just a practicality question by Anonymous Coward · · Score: 0

      And yet, despite that, my Android phone still has massive bugs that haven't been addressed, including a calender that doesn't let you delete individual events, and randomly sends alerts up to twenty hours after events that have already been dismissed, an integration with my google account that only wants to appear in theory rather than practice, a habit of screwing up MP3 playback, a distressing inability to sync, and a webbrowser that can get stuck in search boxes, requiring resetting to get out.

      Oh, and these bugs have been known for years and nobody's done shit about them.

    2. Re:It's not just a practicality question by ljw1004 · · Score: 2

      What you describe hasn't been my experience. I see TWO orders of magnitude more bugs reported by Microsoft's QA than by external parties (in the field of compiler development). I guess end-users just aren't interested in whether an async lambda inside an anonymous type declaration triggers invalid codegen, and wouldn't even discover the issue until the language feature has been in widespread use for five years, but internal QA will discover the bug before the feature ships. On your question of unicode bugs, users seem happy to use just simple unicode for their variable names, and it's down to QA to discover e.g. that dipthongs don't work in edge cases, or that certain whitespace unicode characters have been reclassified in the latest unicode update.

      In general, users will find bugs that "itch", but QA departments will find bugs through systematic review of the spec and all possible interactions of language features. And in the field of compiler development, the latter gives me more confidence, because programming is all about making language features interact in useful ways.

    3. Re:It's not just a practicality question by Kozz · · Score: 1

      So what you're saying is... "In Soviet Russia, bugs find you!" ?

      --
      I only post comments when someone on the internet is wrong.
    4. Re:It's not just a practicality question by oakgrove · · Score: 1

      Er, despite what? Android is not developed in the open so Linus' Law is null and void as far as it is concerned.

      --
      The soylentnews experiment has been a dismal failure.
    5. Re:It's not just a practicality question by swillden · · Score: 1

      What you describe hasn't been my experience. I see TWO orders of magnitude more bugs reported by Microsoft's QA than by external parties

      So you're saying that more bugs are reported by people who get paid to report them than by people who don't. Obviously that has to make us wonder what would happen if non-employees could get paid for reporting bugs.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    6. Re:It's not just a practicality question by VortexCortex · · Score: 1

      What you describe hasn't been my experience. I see TWO orders of magnitude more bugs reported by Microsoft's QA than by external parties (in the field of compiler development). I guess end-users just aren't interested in _____

      Halt Give me the source code. Then, and only then, can you make such a comparison... I do care, but I just thought it was a bug somewhere else in my project that I hadn't ironed out... With open source compilers (such as LLVM and GCC/G++), I can check the source and SEE if my hunch is correct or not -- it is rarely, but sometimes is a compiler bug -- Screw your half-assed attempt at comparing black-box to white-box bug analysis.

      Additionally, Quit you tard! GTFO our compiler! YOU are the F*Ing problem If this is what you really think!

    7. Re:It's not just a practicality question by camperslo · · Score: 1

      Most of the bugs are not nearly so obscure as what you're suggesting, although some are discovered by people quite far away. A video with Bruce Dang of MS speaking at the 27th Chaos Communication Congress is revealing. He spoke on behind the scenes thinking and fairly early/rapid analysis done in looking at Stuxnet and seeing what/how it exploited in Windows in multiple ways with 100% reliability.. (The talk does not cover the far more serious aspects of Stuxnet, the PLC- targeting payload or the implications of that which has been studied by others)
      The actual talk starts about 11 minutes in. It is probably best to download it with the Download Helper FF extension and play the h.264 in VLC to allow easily repeating portions. The actual talk runs about an hour, he talks pretty fast and the audio has some echo and a resonance making it some work to follow. Some patience is required, but some will find it worthwhile being very informative, revealing some interesting perspectives, and having some funny moments too. (At about 40 minutes, he discusses a point where he was a bit stumped and tired, and took a break to watch porn.)

      27C3 - Adventures in analyzing Stuxnet
      http://www.youtube.com/watch?v=SCqCrtu_n84&feature=related

    8. Re:It's not just a practicality question by ljw1004 · · Score: 1

      Good point. If we do accept this premise that paying people is the best way to get bugs filed, then it becomes an economic and moral question:

      * Does the "bounty" system find better bugs per dollar spent once you factor in the wasted costs of administering the bounty system, or the current "salary" system? In other words, has the free market pegged the salary level of Q&A staff incorrectly?

      * If the "bounty" system is indeed more cost effective, is that because we're exploiting the bounty-hunters by getting their labor without paying health insurance &c. ?

    9. Re:It's not just a practicality question by Anonymous Coward · · Score: 0

      Your "two orders of magnitude" is possible only because there's currently more incentive for people who find the bugs on their own not to report them at all (and subsequently exploit them for their own purposes) and the fact that microsoft QA has access to the source code. After all, if i were a hacker, why the hell would i report a bug if i could exploit it later, given the incentive lies in the power to exploit said bug, and none to report it?

    10. Re:It's not just a practicality question by swillden · · Score: 1

      There is a questionable assumption implicit in your first question, which is that a small number of QA people working full-time is equivalent to a large number of people working part time. I think there's a strong argument to be made that when searching for security bugs it's important to use a large variety of approaches. One grad student or independent researcher may well come up with an angle that none of the QA team members would ever have come up with -- not because he's necessarily smarter, but because he just happened to look at the problem a different way. That individual may be able to reap great financial benefit from applying his idea across a wide variety of applications from different vendors, but that doesn't mean that any one QA team necessarily wants him on staff, because that may be the only really brilliant idea he'll have this year.

      In fact, if you look around the independent and academic security research landscape, this is a pretty much what it looks like. You have lots of individuals or small groups who have one really good idea, plus lots of incremental refinements they make over time. One researcher specializes in fuzzing, and is much cleverer at it than nearly anyone else out there. Another creates some truly excellent static analysis tools that operate on code, yet another develops a fascinating binary analysis tool. Etc., etc. Microsoft can't employ all of these people, and further doesn't really want to, because after a few weeks each of them would have exhausted what they can find with their current approach and tools. And there are all sorts of practical, legal and PR problems with turning them loose on the software of Microsoft's competitors.

      So I think there's a strong argument to be made for it being both more effective for Microsoft (or any other software vendor) and more financially rewarding (for the researcher) for them to exchange value via bounties. Short-term consulting contracts would be another way, but those have the disadvantage that success and failure are approximately equally-rewarded, which is bad both for talented researchers and for the vendors they find bugs for.

      This scenario is probably valid true for other sorts of bugs than for security bugs, and even for security bugs it doesn't mean there's no value in having on-staff QA. You need someone doing the gruntwork of identifying all the common, easy mistakes. But you also need to cast a much wider net than any corporate QA staff is going to be able to achieve.

      As for your second question, I couldn't care less. We're talking about very bright people who don't need anyone to manage their lives or their business relationships for them.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  23. It would be too costly by strangeattraction · · Score: 1

    I can see the headlines now "M$ pays $4 million in bug bounties" compared to FireFox and Chrome. This would be every marketers nightmare.

  24. Microsoft may have to pay users by kwerle · · Score: 1

    Kurt Werle says:
    "Microsoft may have to start paying users in order to stay relevant."

    Now can we have a stupid article that quotes me?

    Headline: "Should Microsoft pay its users?"

    Because saying something stupid seems to be the bar for getting mention, here...

  25. Bigger than Bounties... by Anonymous Coward · · Score: 0

    Microsoft's bugs are usually so nasty that they really need Brawnys instead of Bounties .

    1. Re:Bigger than Bounties... by 93+Escort+Wagon · · Score: 1

      You may be right, but remember that Bounty is the "quicker picker upper". In today's security climate speed is a plus.

      --
      #DeleteChrome
  26. Microsoft's real security problem by Salvo · · Score: 2

    The real problem with Microsoft's Windows is support for Legacy Hardware and Software.

    Microsoft Windows wan't designed to be secure in the first place. Even Windows NT-based OS's reintroduced legacy support for backward compatibility; a strategic blunder to pander the ultra-conservative developer base.

    The Application Developer Base is refusing to adapt to new, secure API's like .NET, especially in the corporate sector, and is sticking to legacy API's like Win64, Win32 and even Win16.
    Plugin Developers still program insecure ActiveX and NS-Plugins, as well as Toolbars.

    Hardware Manufacturers are refusing to write drivers that adhere to the new security models.

    The only way MS can make Windows secure is to do what it should have done with the introduction of WIndows NT and removed Legacy Support. It worked for Apple with Mac OS X and the "Classic" and "Rosetta" virtual machines. Microsoft are trying to do it with the Windows Ultimate "XP Mode", but failing.

    They need to make the commitment and tell developers "If you don't do it our way, it won't work in Windows 8, or Windows 9, or whatever." They need to tell their Corporate customers, "If you're still running XP because of some stupid Legacy software, we're going to cut you loose next year. We won't be supporting you."
    They don't think they can do this incase their customer base jumps ship to Mac or Linux. Even though it is a risk, they can because the majority of their user-base want Cheap Hardware and Easy-to-use Software, which rules out both Mac and LInux. They are locked into whatever Microsoft dictates.

    1. Re:Microsoft's real security problem by bk2204 · · Score: 1

      They need to make the commitment and tell developers "If you don't do it our way, it won't work in Windows 8, or Windows 9, or whatever."

      They already did. There were programs that broke really badly in Vista because developers were continuing to use interfaces that were marked as deprecated and going away. Microsoft had for years refused to certify these same programs as "Designed for XP" (or whatever it was called) because they used the obsolete interfaces.

      It turned out really badly for them. People blamed Vista for the bugs. I had to explain the situation to lots of users and informed them that it was actually the software companies' fault, not Microsoft's.

    2. Re:Microsoft's real security problem by cyber-vandal · · Score: 1

      The Application Developer Base has billions of lines of working code that they don't have the budget to rewrite in .NET. I look forward to the day when Microsoft try to dictate to their corporate customers and their corporate customers, just like they did with Vista, will say 'screw you we're not buying something that doesn't run our software'. XP Mode exists because, out in the real world, software can't just be rewritten on a whim or because Microsoft say it should be, and in fact should be on all versions of Windows 7, not just the really expensive ones.

      Apple were in a totally different position. They had far fewer users and a lot less to lose by dropping legacy support.

      IBM Mainframes still run software written 40 years ago. Why? Because businesses still depend on it and it still does what it's supposed to. That is the issue Microsoft faces and it's one, just like IBM before them, was brought about by their ill-gotten market ownership.

  27. Meh by snookiex · · Score: 2

    It's more profitable to exploit a MS product vulnerability than filing a bug report and getting a few bucks.

    --
    Open Source Network Inventory for the masses! Kuwaiba
  28. The Quote of The Day says it better than I can... by VortexCortex · · Score: 1

    Divq zr nakvif fiz?
    Enssvavreg vfg qre Ureetbgg nore obfunsg vfg re avpug. -- Nyoreg Rvafgrva
    Ertanag cbchyv.
    frzcre ra rkperghf
    FRZCRE HOV FHO HOV!!!!

    I believe that last one says, something about crying out for "Help" "Help", or calling out for "Security!" -- What language is this -- seems vaguely familiar... almost like when Dance Dance Revolution moves scroll up the screen, and I think: Holly Hell -- These Brainfuck coders have some messed up concepts of fun!

  29. Wrong by Anonymous Coward · · Score: 0

    eEye Digital Security has been in business for over a decade. They started off finding vulnerabilities for MS products and then MS would pay them. That's how they made money. I should know, I worked there.

    They may not have some contest or public announcement, but they definitely have paid for fixes before they go public.

  30. Not for money - for making future stuff better by vinn01 · · Score: 1

    Find a bug in Firefox or Chrome and you're helping make a product better that will make future products better.
    Find a bug in IE and there is a likelihood that few people will ever use that code to make future products better.

    The people who find many bugs are the people looking to find bugs and make products better. And they report those bugs along with reproducible steps.
    The people who stumble upon bugs are trying to get other work done - they have no time or inclination to halt their work, figure out what they did to hit a bug, and report their findings (along with reproducible steps) to the IE team.

    Be nice to your QA professional.

  31. Public bug tracker. by ElizabethGreene · · Score: 1

    I don't care about bounties, how about a public bugtracker?

    1. Re:Public bug tracker. by Anonymous Coward · · Score: 0

      I agree. The chief problem Microsoft and many other large closed-source companies have is that they tend to shut themselves off from user-reported bugs -- possibly because they haven't yet worked out how to efficiently differentiate between bugs and problems generated by user idiosyncracy in a large volume of support tickets. It seems just about all companies which have paid support would prefer to assume the problem is with the user rather than their software. Just look at how hard it is to find a link on the Apple, Microsoft or Adobe websites to report a bug.