Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft To Pay Up To $15K For Bugs In Two Visual Studio Tools (microsoft.com)

Posted by timothy on from the many-eyes-shallow-bugs dept.

itwbennett writes: Yesterday, Microsoft started a three-month bug bounty program for two open source tools that are part of Visual Studio 2015. The program applies to the beta versions of Core CLR, which is the execution engine for .NET Core, and ASP.NET, Microsoft's framework for building websites and web applications. Bounties range from $500 to $15,000, although Microsoft will reward more 'depending on the entry quality and complexity.' The highest reward will go to researchers who've found a remote code execution bug with a functioning exploit and an accompanying, high-quality white paper. On the low end, cross-site scripting or cross-site request forgery bugs with a low-quality report will get $500.

43 comments

  1. I've got a deal for someone... by grimmjeeper · · Score: 4, Informative

    Whoever is working on building this code, we can split any bug bounty money 50/50...

    1. Re:I've got a deal for someone... by Anonymous Coward · · Score: 0, Insightful

      This is about showing goodwill and being more community minded. Under the new CEO, Microsoft is becoming more and more open. Don't, however, ever believe that Microsoft should or would be an open source company. And I don't think they should be. There is room for everyone in this industry. Align yourself with whomever resembles your IT outlook. Look not at the negatives, but rather what are the positives. Majoring in the minor gets none of us anywhere. This bug bounty thing is a good idea. Works for Google and loads of others, and if you are good at spotting bugs and mistakes, you get a little money. Win-win.

    2. Re:I've got a deal for someone... by phantomfive · · Score: 1

      Hello, Mr Nadella, thanks for visiting Slashdot. Might I suggest creating an account?

      --
      "First they came for the slanderers and i said nothing."
    3. Re:I've got a deal for someone... by Anonymous Coward · · Score: 0

      MS should be more careful on their code quality / instruction on how to build:

      I cloned corefx's git repo and ran build from VS command prompt as instructed here: https://github.com/dotnet/corefx/blob/master/Documentation/building/windows-instructions.md

      Here's what I got:

      D:\git\corefx>build
          Restoring all packages...

          Unhandled Exception:

          Unhandled Exception: Unhandled Exception:
          Unhandled Exception: Unhandled Exception:
          Unhandled Exception: Unhandled Exception:
          Unhandled Exception:
          Unhandled Exception:
          Unhandled Exception:
          Unhandled Exception:
          Unhandled Exception: System.ArgumentNullException: Value cannot be null.
          Parameter name: SafeHandle cannot be null.

    4. Re:I've got a deal for someone... by Anonymous Coward · · Score: 0

      Satya Nadella is a joke. He doesn't even get what a general purpose desktop OS is supposed to be. Instead they released that spyware/adware travesty known as "Windows 10".

      I was never an MS fanboy, but I did use their operating systems for decades. MS-DOS and previous versions of Windows all had their little quirks and annoyances, but I could always work around them. With Windows 10 being so anti-privacy, disrespectful and user hostile, I have finally made the switch away from MS and I could not be happier. I've been able to find replacements for all my software, in many cases superior replacements.

    5. Re:I've got a deal for someone... by Anonymous Coward · · Score: 0

      Microsoft is stupid. They could just give Visual Studio the Malware 10 makeover and get beta testers for free, along with being able to steal all of their code.

    6. Re:I've got a deal for someone... by Anonymous Coward · · Score: 0

      Cool story bro.

    7. Re:I've got a deal for someone... by Anonymous Coward · · Score: 0

      Look not at the negatives, but rather what are the positives.

      What kind of bullshit is this? If you don't look at both the negatives and positives when evaluating options or you are not doing your job properly.

  2. Malware is for C# cows. by Anonymous Coward · · Score: 0

    Moooooo#####Moooooooo

  3. Re:... up to $15,000 by Anonymous Coward · · Score: 0

    You Loch Ness Monster! I ain't givin' you no tree-fiddy!

  4. For $15K? Still not worth reporting it. by xxxJonBoyxxx · · Score: 2

    >> Core CLR...and ASP.NET

    Those are kind of a big deal in corporate America. If you find a good zero-day in either of those, the market might pay more than that just to exploit it at a single company, let alone a universal exploit. I'm thinking Microsoft may need to put some real money into this program to keep researchers on the light side of the force.

    1. Re: For $15K? Still not worth reporting it. by Anonymous Coward · · Score: 0

      Ironically you can't be sure which option is safer legally despite the legality of one vs the other. So many companies throw legal hissy fits when a security researcher points out a bug that could cause incredible damage if abused. Maybe it threatens the quarterly bonus of their top sociopath.

  5. $15k? by TechyImmigrant · · Score: 1

    That isn't enough to get me to jack in my job and go bug hunting full time.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    1. Re:$15k? by DoofusOfDeath · · Score: 2

      If I knew for sure that I'd win the bounty, and that they'd pay the full $15k, and that it wouldn't take me too long to get it, I'd happily burn a little vacation time.

      But otherwise, the mathematical expectation is way too low.

    2. Re:$15k? by Ravaldy · · Score: 2

      I don't think the intent is to motivate full time bug hunting but rather allow those who suspect a bug to have the motivation to dig deeper. This is especially true of those in the enterprise level security consulting where they have a responsibility of testing for vulnerabilities or understanding the source of a security failure at their customer's.

      I know people who have monetized exploitation of a bug. The reward is often limited unless you are willing to go the next level of exploitation which has higher rewards but is also riskier and out of range for most (intellectual property theft, email spamming, and general financial theft). Legitimate money for the same findings will deter some from exploiting quietly.

  6. Is it more or less than the market price? by 140Mandak262Jamuna · · Score: 1

    Is the reward offered by this bug bounty program higher than what that exploit would fetch if sell them to Bulgarians or Russians? If not why not?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Is it more or less than the market price? by pr0fessor · · Score: 1

      no clue but bounty is almost almost a million rubles

  7. There is no zero day exploit. It's still in dev by chrisfcarroll · · Score: 1

    dotNet Core is still in dev and no version of Windows yet ships with it. So no zero-dayness is possible. .Net Framework versions up to 4.6 are the current live versions

    --
    "In the quest for truth we must train ourselves to view our favourite ideas just as critically as those we oppose"
  8. A sensible approach to open source security by chrisfcarroll · · Score: 5, Insightful

    What is interesting however is the thought that developer, documentation and test contributions to open source are unpaid, but security contributions are paid for. Possibly this reflects a lesson of the past 30 years that pretty much nobody in the world is capable of shipping fully secure software for general purpose computers.

    --
    "In the quest for truth we must train ourselves to view our favourite ideas just as critically as those we oppose"
    1. Re:A sensible approach to open source security by Anonymous Coward · · Score: 0

      In this case, Microsoft is doing by far the lion's share of the development, documentation, and test for these particular open source products, although I think they may accept contributions.

    2. Re:A sensible approach to open source security by Anonymous Coward · · Score: 1

      Whenever I see the phrase "general purpose computer" it makes me shudder as it implies hardware that can be used for any purpose. The language used in that quote is to imply that this hardware can be used to molest your children and other more specific hardware can't be used for this purpose. lol

      Does it have a processor that can contain run functions for your own use and RAM that isn't constrained by software and firmware that you don't control? Voila - it's a general purpose computer.

      Even freakishly slanted silicon like GPU's and DSP's can be mostly be used as a "general purpose computer" as long as you don't expect it to be as fast/effecient. Mostly. Please see your local Big E for technical details.

      Sorry - that phrase "general purpose computer" just bothers the hell out of me.

      If you think that "pretty much nobody in the world is capable of shipping fully secure software for general purpose computers" is correct... let me give you a clue buddy - even since before 1985 nobody has been "capable of shipping fully secure software for general purpose computers".

      We've all been doing the best we can. Information Security isn't a new thing even since before the days of Bletchley Park. Asshole.

    3. Re:A sensible approach to open source security by Anonymous Coward · · Score: 0

      Possibly. But the biggest issue is that open source will always be more secure because the code is open. In the proprietary world, if it's 4:59 on a Friday and Joe Programmer doesn't feel like fixing that exploit, oh well, there's always next week. Or the week after...

  9. Re:M$ IS MALWARE by phantomfive · · Score: 1

    You got modded troll, but the closer it gets to being a "trusted" OS, the closer it gets to being malware. Remember "trusted" means they don't trust you, and that they control the platform.

    --
    "First they came for the slanderers and i said nothing."
  10. Re:For $15K? Still not worth reporting it. by cdrudge · · Score: 1

    So a person would need to choose between making up to $15k in a legal fashion that ultimately makes a product more secure and could benefit many companies...or sell it to nefarious people possibly for more money, but your exploit is used to attack companies and ultimately may trace back to you. Decisions decisions decisions.

  11. Re:For $15K? Still not worth reporting it. by Anonymous Coward · · Score: 0

    No, they're paying good money for these kinds of remote exploits to hand over to the NSA. They'll attempt to look like they're dragging their feet and slowly implementing a fix but really they're allowing the exploits to be used as zero days in the meantime by the government.

  12. Re:For $15K? Still not worth reporting it. by Anonymous Coward · · Score: 0

    Neither of the two products in discussion are in production yet.

  13. Who'd bother? by Anonymous Coward · · Score: 0

    Not to be too rude about it - but does anyone actually trust Microsoft to pay off on this unless the exploit is stupidly egregious?

    That thought has to be on the minds of anyone looking to use this bounty program.

    I'm not pro/con anyone for the most part and I wouldn't try submitting anything to this. It would just be bad business to trust a company that has repeatedly and succesfully covered up public exploits and vulnerabilities in the past. They've used their 'abundance of use'/penetration, financal, and legal resources so often it's basically an open secret among people who care about this kind of thing.

    Just my two cents. *shrugs*

    1. Re:Who'd bother? by phantomfive · · Score: 1

      Not to be too rude about it - but does anyone actually trust Microsoft to pay off on this unless the exploit is stupidly egregious?

      If you want them to pay the $15k, you need to have a working exploit, and XSS doesn't count, even though it should.
      So no, they've stated they won't pay unless the exploit is stupidly egregious.

      --
      "First they came for the slanderers and i said nothing."
  14. 15K...not worth it. by Anonymous Coward · · Score: 0

    By the time you dig down through the code base, run the tests, develop the exploit code and write the paper...most devs could have earned twice that elsewhere. Otherwise, you'll only find glaring bugs.

    Microsoft should invest in a platform like Watson and have it dedicated to evolving hacking solutions for each portion of its codebase. That's what intel agencies do and its the only way to ensure top quality code.

  15. Re:For $15K? Still not worth reporting it. by phantomfive · · Score: 1

    Apparently these types of exploits can be sold legally for $100k.

    --
    "First they came for the slanderers and i said nothing."
  16. I think the most ironic part is that... by tlambert · · Score: 1

    I think the most ironic part is that they are willing to pay up to $15K for a bug + a white paper on the bug, but not willing to pay anything more, should you include patches that actually fix the bug.

    You would think that a bug *fix* was the end goal.

    I'm of two minds, as to why this is the case:

    (1) They just don't get this whole "Open Source" thing yet, although they seem to be trying really, really hard

    (2) The intent of the program is actually to get the white papers, rather than the bug fixes. That, in turn, has several possible motivations, but I think the most likely of those motivations are:

    (2)(A) They want to find security people to hire through this program, and this is easier than evaluating the honesty of a resume, or trusting an interview process to discern between someone who can't do the job, someone who can do it (but probably won't), and someone who can and will do the job. In other words, it's a pretty cheap candidate qualification mechanism, compared to traditional HR processes in this regard (qualified candidate acquisition probably costs them many multiples of $15K per qualified candidate they find, since they have to put the unqualified ones through the same process to weed them out). If so, it's clever an innovative.

    (2)(B) They want to obtain an insight into the correct mindset to use when approaching an exploit, so that they can quantify it, and teach it to other people. This would be a much more ambitious use of the data, since not a day goes by when there isn't some idiot wanting to "learn security" from the perspective of someone who can do a systems penetration posting on Slashdot (in fact, there was a new article on it on Slashdot today, not just an isolated idiot post). I'm pretty sure that they will fail in this regard, but I do have to wonder if there is government "cyber warfare" (finger quotes intentional) dollars underwriting this.

    So I'm generally suspicious of the motivations and/or cluefullness of such a program, but hey, having a program at all is a step forward.

    1. Re:I think the most ironic part is that... by bmajik · · Score: 2

      I'm not in any way involved with this specific program, but I do work on VisualStudio.

      It's pretty common for all kinds of software projects to take bug reports - even very detailed and thorough ones - from people who ultimately don't end up fixing the bug.

      The interesting thing about finding a security bug - especially with the constraints described here - a working exploit and a white paper - it's pretty unambiguous that you've found one. You either have or you haven't.

      Now, how to actually fix that bug might be a lot more nuanced.

      This statement isn't made to in any way imply that a researcher who could find such a bug _couldn't_ also fix it.

      Rather, some bug fixes may be preferable to others, from Microsoft's point of view. And so, my impression is - we're not looking for patches that we'd end up re-writing. We're looking for the really nasty bugs, and then we'll go off and come up with fixes that satisfy the big pile of requirements that we have [for example, performance impact]

      A valid observation would be, "if these were really open source projects, anyone in the community would be able to run the same regression and performance tests that Microsoft would run, and thus be able to make perfectly valid fixes themselves"

      Well, to a point. Long long ago, I found an IDE driver bug in OpenBSD and submitted a fix for it. The fix was substantially re-written by the maintainer, and, ultimately the whole subsystem was replaced in the next version anyhow.

      My fix met the functional requirements, so near as I can tell. But there are things like coding style, or maybe even the personal preferences by the project maintainer(s), that can still impact how a particular patch gets rejected or modified prior to being committed.

      Furthermore, I think we would hate for there to be a vuln out there that somebody knows about, but is sitting on until they can come up with a fix that they like.

      So, yes, I think we really just want the vulnerability reports, well substantiated and with demonstrated exploits. Finding those things is still very much a niche skill.

      Fixing them, once they are understood, and balancing those fixes with the other requirements in the system, is more bread-and-butter Microsoft engineer stuff.

      fwiw, I've been at Microsoft 15 years, much of it in VisualStudio. Before that, I worked only with UNIX systems, and I've stayed up to date as a hobby.

      The way we are trying to engage with Apple, Linux, and F/OSS in general is completely unlike anything we did up until just the last year or so. People I've worked with for years are suddenly diving headlong into Linux development. Arguments that I tried to make a decade ago are now being made by other people.

      It's a really interesting time at the company.

      --
      My opinions are my own, and do not necessarily represent those of my employer.
  17. Re:For $15K? Still not worth reporting it. by Anonymous Coward · · Score: 0

    The chance of getting tracked back to you is extremely slim. And $150k for a zero-day used for corporate espionage is definitely in the realm of possibility.

    There isn't any amount of money Microsoft can offer. Put simply, they need to clean up their shitty code to have any effect.

    And besides, why should Microsoft care about their customers? They're locked into inescapable contracts, file formats and boatloads of MCSE drones on the payroll...with no hope for escape. Oh and of course EULA indemnity against any defects.

    Sorry this has to be just for good PR, and therefore probably hatched from the Marketing division.

  18. Re:For $15K? Still not worth reporting it. by Anonymous Coward · · Score: 0

    And further, both are open source.

  19. Re:M$ IS MALWARE by Njorthbiatr · · Score: 1

    You missed the joke. I used C# syntax.

  20. Re:For $15K? Still not worth reporting it. by cdrudge · · Score: 1

    Sorry this has to be just for good PR, and therefore probably hatched from the Marketing division.

    Wait...you mean a company would do something that would good for PR? I'm shocked that this could ever happen!

  21. Visual smarter by Anonymous Coward · · Score: 0

    Visual Smarter has a lot of tools for Visual Studio. It's worth of a try:
    Http://VisualSmarter.blogspot.com