Microsoft To Pay Up To $15K For Bugs In Two Visual Studio Tools

itwbennett writes: Yesterday, Microsoft started a three-month bug bounty program for two open source tools that are part of Visual Studio 2015. The program applies to the beta versions of Core CLR, which is the execution engine for .NET Core, and ASP.NET, Microsoft's framework for building websites and web applications. Bounties range from $500 to $15,000, although Microsoft will reward more 'depending on the entry quality and complexity.' The highest reward will go to researchers who've found a remote code execution bug with a functioning exploit and an accompanying, high-quality white paper. On the low end, cross-site scripting or cross-site request forgery bugs with a low-quality report will get $500.

I've got a deal for someone...

[grimmjeeper]

Whoever is working on building this code, we can split any bug bounty money 50/50...

Re:I've got a deal for someone...

[phantomfive]

Hello, Mr Nadella, thanks for visiting Slashdot. Might I suggest creating an account?

For $15K? Still not worth reporting it.

[xxxJonBoyxxx]

>> Core CLR...and ASP.NET

Those are kind of a big deal in corporate America. If you find a good zero-day in either of those, the market might pay more than that just to exploit it at a single company, let alone a universal exploit. I'm thinking Microsoft may need to put some real money into this program to keep researchers on the light side of the force.

$15k?

[TechyImmigrant]

That isn't enough to get me to jack in my job and go bug hunting full time.

Re:$15k?

[DoofusOfDeath]

If I knew for sure that I'd win the bounty, and that they'd pay the full $15k, and that it wouldn't take me too long to get it, I'd happily burn a little vacation time.

But otherwise, the mathematical expectation is way too low.

Re:$15k?

[Ravaldy]

I don't think the intent is to motivate full time bug hunting but rather allow those who suspect a bug to have the motivation to dig deeper. This is especially true of those in the enterprise level security consulting where they have a responsibility of testing for vulnerabilities or understanding the source of a security failure at their customer's.

I know people who have monetized exploitation of a bug. The reward is often limited unless you are willing to go the next level of exploitation which has higher rewards but is also riskier and out of range for most (intellectual property theft, email spamming, and general financial theft). Legitimate money for the same findings will deter some from exploiting quietly.

Is it more or less than the market price?

[140Mandak262Jamuna]

Is the reward offered by this bug bounty program higher than what that exploit would fetch if sell them to Bulgarians or Russians? If not why not?

Re:Is it more or less than the market price?

[pr0fessor]

no clue but bounty is almost almost a million rubles

There is no zero day exploit. It's still in dev

[chrisfcarroll]

dotNet Core is still in dev and no version of Windows yet ships with it. So no zero-dayness is possible. .Net Framework versions up to 4.6 are the current live versions

A sensible approach to open source security

[chrisfcarroll]

What is interesting however is the thought that developer, documentation and test contributions to open source are unpaid, but security contributions are paid for. Possibly this reflects a lesson of the past 30 years that pretty much nobody in the world is capable of shipping fully secure software for general purpose computers.

Re:A sensible approach to open source security

Whenever I see the phrase "general purpose computer" it makes me shudder as it implies hardware that can be used for any purpose. The language used in that quote is to imply that this hardware can be used to molest your children and other more specific hardware can't be used for this purpose. lol

Does it have a processor that can contain run functions for your own use and RAM that isn't constrained by software and firmware that you don't control? Voila - it's a general purpose computer.

Even freakishly slanted silicon like GPU's and DSP's can be mostly be used as a "general purpose computer" as long as you don't expect it to be as fast/effecient. Mostly. Please see your local Big E for technical details.

Sorry - that phrase "general purpose computer" just bothers the hell out of me.

If you think that "pretty much nobody in the world is capable of shipping fully secure software for general purpose computers" is correct... let me give you a clue buddy - even since before 1985 nobody has been "capable of shipping fully secure software for general purpose computers".

We've all been doing the best we can. Information Security isn't a new thing even since before the days of Bletchley Park. Asshole.

Re:M$ IS MALWARE

[phantomfive]

You got modded troll, but the closer it gets to being a "trusted" OS, the closer it gets to being malware. Remember "trusted" means they don't trust you, and that they control the platform.

Re:For $15K? Still not worth reporting it.

[cdrudge]

So a person would need to choose between making up to $15k in a legal fashion that ultimately makes a product more secure and could benefit many companies...or sell it to nefarious people possibly for more money, but your exploit is used to attack companies and ultimately may trace back to you. Decisions decisions decisions.

Re:For $15K? Still not worth reporting it.

[phantomfive]

Apparently these types of exploits can be sold legally for $100k.

Re:Who'd bother?

[phantomfive]

Not to be too rude about it - but does anyone actually trust Microsoft to pay off on this unless the exploit is stupidly egregious?

If you want them to pay the $15k, you need to have a working exploit, and XSS doesn't count, even though it should.
So no, they've stated they won't pay unless the exploit is stupidly egregious.

I think the most ironic part is that...

[tlambert]

I think the most ironic part is that they are willing to pay up to $15K for a bug + a white paper on the bug, but not willing to pay anything more, should you include patches that actually fix the bug.

You would think that a bug *fix* was the end goal.

I'm of two minds, as to why this is the case:

(1) They just don't get this whole "Open Source" thing yet, although they seem to be trying really, really hard

(2) The intent of the program is actually to get the white papers, rather than the bug fixes. That, in turn, has several possible motivations, but I think the most likely of those motivations are:

(2)(A) They want to find security people to hire through this program, and this is easier than evaluating the honesty of a resume, or trusting an interview process to discern between someone who can't do the job, someone who can do it (but probably won't), and someone who can and will do the job. In other words, it's a pretty cheap candidate qualification mechanism, compared to traditional HR processes in this regard (qualified candidate acquisition probably costs them many multiples of $15K per qualified candidate they find, since they have to put the unqualified ones through the same process to weed them out). If so, it's clever an innovative.

(2)(B) They want to obtain an insight into the correct mindset to use when approaching an exploit, so that they can quantify it, and teach it to other people. This would be a much more ambitious use of the data, since not a day goes by when there isn't some idiot wanting to "learn security" from the perspective of someone who can do a systems penetration posting on Slashdot (in fact, there was a new article on it on Slashdot today, not just an isolated idiot post). I'm pretty sure that they will fail in this regard, but I do have to wonder if there is government "cyber warfare" (finger quotes intentional) dollars underwriting this.

So I'm generally suspicious of the motivations and/or cluefullness of such a program, but hey, having a program at all is a step forward.

Re:I think the most ironic part is that...

[bmajik]

I'm not in any way involved with this specific program, but I do work on VisualStudio.

It's pretty common for all kinds of software projects to take bug reports - even very detailed and thorough ones - from people who ultimately don't end up fixing the bug.

The interesting thing about finding a security bug - especially with the constraints described here - a working exploit and a white paper - it's pretty unambiguous that you've found one. You either have or you haven't.

Now, how to actually fix that bug might be a lot more nuanced.

This statement isn't made to in any way imply that a researcher who could find such a bug _couldn't_ also fix it.

Rather, some bug fixes may be preferable to others, from Microsoft's point of view. And so, my impression is - we're not looking for patches that we'd end up re-writing. We're looking for the really nasty bugs, and then we'll go off and come up with fixes that satisfy the big pile of requirements that we have [for example, performance impact]

A valid observation would be, "if these were really open source projects, anyone in the community would be able to run the same regression and performance tests that Microsoft would run, and thus be able to make perfectly valid fixes themselves"

Well, to a point. Long long ago, I found an IDE driver bug in OpenBSD and submitted a fix for it. The fix was substantially re-written by the maintainer, and, ultimately the whole subsystem was replaced in the next version anyhow.

My fix met the functional requirements, so near as I can tell. But there are things like coding style, or maybe even the personal preferences by the project maintainer(s), that can still impact how a particular patch gets rejected or modified prior to being committed.

Furthermore, I think we would hate for there to be a vuln out there that somebody knows about, but is sitting on until they can come up with a fix that they like.

So, yes, I think we really just want the vulnerability reports, well substantiated and with demonstrated exploits. Finding those things is still very much a niche skill.

Fixing them, once they are understood, and balancing those fixes with the other requirements in the system, is more bread-and-butter Microsoft engineer stuff.

fwiw, I've been at Microsoft 15 years, much of it in VisualStudio. Before that, I worked only with UNIX systems, and I've stayed up to date as a hobby.

The way we are trying to engage with Apple, Linux, and F/OSS in general is completely unlike anything we did up until just the last year or so. People I've worked with for years are suddenly diving headlong into Linux development. Arguments that I tried to make a decade ago are now being made by other people.

It's a really interesting time at the company.

Re:M$ IS MALWARE

[Njorthbiatr]

You missed the joke. I used C# syntax.

Re:For $15K? Still not worth reporting it.

[cdrudge]

Sorry this has to be just for good PR, and therefore probably hatched from the Marketing division.

Wait...you mean a company would do something that would good for PR? I'm shocked that this could ever happen!