Slashdot Mirror

← Back to Stories (view on slashdot.org)

Does Microsoft Need Bug Bounties?

Posted by Soulskill on from the how-deep-are-their-coffers dept.

Gunkerty Jeb writes "The threats and attacks may have changed in the last decade, but one thing has remained constant: software giant Microsoft doesn't pay for vulnerabilities. Never has. Never will. Even as rivals like Mozilla and Google have introduced bug bounty program, the Redmond giant has stuck doggedly with a position it articulated almost a decade ago, refusing to offer monetary rewards for information on software holes. But security experts say that position may have to change."

21 of 100 comments (clear)

  1. A Fundamental Problem with This Suggestion! by eldavojohn · · Score: 5, Interesting

    Even as rivals like Mozilla and Google have introduced bug bounty program, the Redmond Washington giant has stuck doggedly with a position it articulated almost a decade ago, refusing to offer monetary rewards for information on software holes. But security experts say that position may have to change.

    Here is the source for Mozilla projects. Here is the source for Google Chrome. And where do I find Internet Explorer's source code? Oh, right. Well, I'm sure if they truly wanted my help making their browser better and more secure, they'd be okay with letting me take a peek at the source code. How can they start a bug bounty program when they won't even trust the community with seeing their code?

    To put it another way: when you practice security through obscurity, offering monetary incentives for bug discovery is not a financially sound decision.

    Furthermore, there have been times when a bug submitted to Google was deemed not a bug and a discussion ensued why that was with the source code referenced. I believe Microsoft could just say, "Oh, sorry, we don't owe you anything for discovering that feature but since you can't see the source code you'll have to take our word for it."

    Microsoft doesn't need bug bounties. They need to achieve the prerequisite of code inspection before they can even consider putting their money where their mouth is.

    --
    My work here is dung.
    1. Re:A Fundamental Problem with This Suggestion! by bsDaemon · · Score: 2

      I'd venture to guess that the majority of vulns are found using a debugger/disassembler such as Ole, IDA, or WinDBG rather than looking at the source code. The source can lead you only so far. The binary is what matters. Check out the ABO exercises some time, just as an example. Just saying.

    2. Re:A Fundamental Problem with This Suggestion! by Anrego · · Score: 3, Insightful

      On a serious note, I don't even think Microsoft releasing the code at this point would be a good thing by any means.

      When something starts out open source.. it's great. The obvious bugs get found while people are still playing with it. IE is in heavy production use ... if you just just open it up at this point in the game you'd probably get an enormous influx of security holes.

    3. Re:A Fundamental Problem with This Suggestion! by ArsonSmith · · Score: 2

      ...you'd probably get an enormous influx of security holes.

      Small nit-pick: You already have the security holes now for free, this would just help in pointing them out.

      --
      Paying taxes to buy civilization is like paying a hooker to buy love.
    4. Re:A Fundamental Problem with This Suggestion! by PickyH3D · · Score: 2

      Ah yes, the infamous, "everyone else is doing it argument."

      Suggesting that the only source of security with IE, the team that originated the idea of sandboxed browsers, which only Chrome matches, is a bad joke.

      Turning the talk of a bug bounty program into a discussion on open versus closed source is just as bad.

      People are not finding the major security vulnerabilities in these browsers by sifting through their source code; they are doing it by using fuzzing and similar debugging techniques designed to break the browser in question.

    5. Re:A Fundamental Problem with This Suggestion! by Hal_Porter · · Score: 2, Insightful

      This reminds me of a funny quote from Undocumented Dos on getting access to the complete Dos source code. You couldn't but you could get a mix of source, binaries (.obj) and debugging information (symbol values) for the binaries if you paid a few thousand dollars for the OEM Adaptation Kit or something like that. The authors of Undocumented Dos opined "That's almost as good as source code - the only thing it is missing is the comments which are probably misleading anyway"

      With that in mind here's how to get symbols for Microsoft binaries

      http://support.microsoft.com/kb/311503

      It's worth pointing out that people don't debug non trivial things by staring at source code - they debug the binary using a debugger. If you have symbols, you can do that.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    6. Re:A Fundamental Problem with This Suggestion! by bsDaemon · · Score: 2

      If you plan on fixing bugs, the source is great. If you plan on exploiting bugs, it doesn't really matter. I may be in a security research department at well-know network security company based on a popular open source tool and not just someone talking completely out of my ass. Again, just saying.

  2. They'd be gone in a week by SheeEttin · · Score: 4, Funny

    Are you kidding? If Microsoft paid for every bug in Windows, they'd be bankrupt in a week!

    1. Re:They'd be gone in a week by 0123456 · · Score: 5, Insightful

      And a lot of bugs can't be fixed because old applications rely on them and people only buy Windows for backwards compatibility.

      When I was writing Windows video drivers years ago we had to deliberately put bugs into our drivers to match the bugs in the stanadrd Windows drivers because various popular applications would fall over without them.

    2. Re:They'd be gone in a week by plopez · · Score: 2

      You're right. They're cash position has been slowly degrading and sales are not what they used to be. What is telling is that they got hit by this last depression harder than Apple. They are tied to businesses and home markets, both vulnerable to economic down turns. Apple sells many low priced things, music downloads and low end iPods are examples, that they have actually been growing. MS has been losing market share as well to Linux and Apple. The slow squeeze is on and there seems to be no equivalent of Lou Gertzner (the CEO who turned IBM around) at MS.

      --
      putting the 'B' in LGBTQ+
    3. Re:They'd be gone in a week by KingMotley · · Score: 2

      Perhaps you need to review Microsofts financials before saying such silly things. 2009 was the only year in which sales went down, 2010 they increased by 7%, and so far expectations are that they will increase by 15% (approximately).

      Date / Sales / Growth
      June 30, 2011 $71.85B 15% (estimated)
      June 30, 2010 $62.48B 7%
      June 30, 2009 $58.44B -3%
      June 30, 2008 $60.42B 18%
      June 30, 2007 $51.12B 15%
      June 30, 2006 $44.28B 11%
      June 30, 2005 $39.79B 8%
      June 30, 2004 $36.84B 14%
      June 30, 2003 $32.19B 13%
      June 30, 2002 $28.37B 12%
      June 30, 2001 $25.30B 10%

    4. Re:They'd be gone in a week by Darinbob · · Score: 2

      Stop being so anti-Microsoft. It would take a month at least for them to go bankrupt this way.

  3. Re:Hard to even submit MS bugs. by 0123456 · · Score: 2

    It's like they would rather pay you to NOT submit bugs.

    That's a lot cheaper than fixing them.

  4. Guess what Microsoft? by Jailbrekr · · Score: 3, Insightful

    There is good money to be had selling discovered vulnerabilites. If you keep refusing to offer a bounty, they'll happily find someone else to pay for its discovery.

    --
    Feed the need: Digitaladdiction.net
  5. Why bother? by Spazmania · · Score: 2

    Why pay bug bounties when you have a large backlog of unfixed bugs that were reported to you for free?

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
  6. MS bug-submission form by davidwr · · Score: 5, Funny

    Microsoft Bug Submission Form

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  7. It's not just a practicality question by dkleinsc · · Score: 4, Insightful

    It's also a philosophical question. Microsoft as an organization believes that the best possible way of producing software is to hire the smartest programmers you can get your hands on, give them a carefully honed specification designed by the best marketing and UI people you can get their hands on, directed by the best management you can get their hands on, and have them go to work. And if you're Bill Gates, this really does seem like the right way to do business.

    The trouble is:
    1. You can't get your hands on all the smart people in the world.
    2. Even if you could, enough people hammering at software in every way imaginable has a way of uncovering problems that the smart guys hadn't even thought of. I'm talking about stuff like "I didn't know that they were going to try to use some sort of wildly different equal sign Unicode code point from Cyrillic instead of a UTF-8 '='". That makes the population of users a much better source of uncovering obscure bugs than the best QA team could ever manage.
    3. Linus's Law suggests that when somebody uncovers these sorts of obscure bugs, there's somebody in the world who could figure it out pretty easily. Using my earlier example, chances are that in the whole of Russia, there's somebody who really is interested in Unicode in a way that no sane person ever would be, and because of that developer's familiarity with Unicode and Cyrillic is going to have a good idea how to fix the bug in the best way possible. It may not be perfect right off the bat, but it will be started in the correct way because the person in question has the exact specialized knowledge needed to solve the problem. So the population of programmers not working for Microsoft is going to outperform Microsoft's programmers by sheer numbers if nothing else.
    4. ESR pointed out that the guy in Russia interested in Unicode is far more motivated to fix a hypothetical Cyrillic Unicode bug than a programmer working in the bowels of Microsoft's headquarters, because it's a bug that affects them directly in a field they care about.

    In other words, Microsoft can't win these kinds of fights, but they can't give up the belief that they can win these kinds of fights. Hence they won't change, no matter how much they should.

    --
    I am officially gone from /. Long live http://www.soylentnews.com/
    1. Re:It's not just a practicality question by ljw1004 · · Score: 2

      What you describe hasn't been my experience. I see TWO orders of magnitude more bugs reported by Microsoft's QA than by external parties (in the field of compiler development). I guess end-users just aren't interested in whether an async lambda inside an anonymous type declaration triggers invalid codegen, and wouldn't even discover the issue until the language feature has been in widespread use for five years, but internal QA will discover the bug before the feature ships. On your question of unicode bugs, users seem happy to use just simple unicode for their variable names, and it's down to QA to discover e.g. that dipthongs don't work in edge cases, or that certain whitespace unicode characters have been reclassified in the latest unicode update.

      In general, users will find bugs that "itch", but QA departments will find bugs through systematic review of the spec and all possible interactions of language features. And in the field of compiler development, the latter gives me more confidence, because programming is all about making language features interact in useful ways.

  8. Microsoft's real security problem by Salvo · · Score: 2

    The real problem with Microsoft's Windows is support for Legacy Hardware and Software.

    Microsoft Windows wan't designed to be secure in the first place. Even Windows NT-based OS's reintroduced legacy support for backward compatibility; a strategic blunder to pander the ultra-conservative developer base.

    The Application Developer Base is refusing to adapt to new, secure API's like .NET, especially in the corporate sector, and is sticking to legacy API's like Win64, Win32 and even Win16.
    Plugin Developers still program insecure ActiveX and NS-Plugins, as well as Toolbars.

    Hardware Manufacturers are refusing to write drivers that adhere to the new security models.

    The only way MS can make Windows secure is to do what it should have done with the introduction of WIndows NT and removed Legacy Support. It worked for Apple with Mac OS X and the "Classic" and "Rosetta" virtual machines. Microsoft are trying to do it with the Windows Ultimate "XP Mode", but failing.

    They need to make the commitment and tell developers "If you don't do it our way, it won't work in Windows 8, or Windows 9, or whatever." They need to tell their Corporate customers, "If you're still running XP because of some stupid Legacy software, we're going to cut you loose next year. We won't be supporting you."
    They don't think they can do this incase their customer base jumps ship to Mac or Linux. Even though it is a risk, they can because the majority of their user-base want Cheap Hardware and Easy-to-use Software, which rules out both Mac and LInux. They are locked into whatever Microsoft dictates.

  9. Re:#3) Penetrate and Patch by Jailbrekr · · Score: 3, Insightful

    Correction, no *known* bugs. There is no such thing as "bug free". Did you factor in the framework? The OS? I thought not.

    --
    Feed the need: Digitaladdiction.net
  10. Meh by snookiex · · Score: 2

    It's more profitable to exploit a MS product vulnerability than filing a bug report and getting a few bucks.

    --
    Open Source Network Inventory for the masses! Kuwaiba