
Microsoft Announces Direct Cash Payments For Vulnerabilities - tptacek
http://www.microsoft.com/security/msrc/report/bountyprograms.aspx
======
tptacek
Including up to $100k for platform anti-exploitation bypasses; I think
Microsoft might be unique in offering a huge bonus for core platform
exploitation; they are really serious about the core approach of making the OS
and C/C++ runtime hard to write reliable exploits for, which is an interesting
approach.

Also interesting because Microsoft was once publicly opposed to programs like
these:

[https://threatpost.com/microsoft-says-no-paying-bug-
bounties...](https://threatpost.com/microsoft-says-no-paying-bug-
bounties-072210/)

~~~
jdp23
tptacek, are there significant changes in the vulnerability landscape since
2010 that could have led to Microsoft's change in position?

~~~
tptacek
I can't think of any. Just inertia on MSFT's part. This is just part of the
overall trend of legitimizing vulnerability research, instead of trying to
ostracize or (worse) legally threaten them.

------
nealabq
Good, they're allowing minors (14 and older) to participate. From the FAQ (
[http://www.microsoft.com/security/msrc/report/guidelines.asp...](http://www.microsoft.com/security/msrc/report/guidelines.aspx#)
):

 _Is there an age limit for participants?

Researchers 14 years of age or older may submit bypasses and defense ideas to
the program. If you are at least 14 years old but are considered a minor in
your place of residence, you must ask your parent’s or legal guardian’s
permission prior to participating in this program. Please see the program
guidelines for full information on eligibility._

~~~
jmgrosen
Awesome! Looks like it's time to get hacking.

------
ihsw
'Responsible disclosure' is probably one of the worst things to happen to the
cyber-security industry, and the $100K carrot-on-a-stick is only going to make
it worse.

Selling exploits to customers who don't intend on fixing the exploit (buying a
hacker's silence) is exactly the nightmare that came to light regarding MS
releasing exploit information to NSA prior to releasing publicly-available
bugfixes, and these kinds of monetary incentives to the security community
will only make things worse.

Read more: [https://www.eff.org/deeplinks/2012/03/zero-day-exploit-
sales...](https://www.eff.org/deeplinks/2012/03/zero-day-exploit-sales-should-
be-key-point-cybersecurity-debate)

These exploits are effectively high-tech weaponry and they should be treated
similarly.

~~~
tptacek
Where's a professional vulnerability researcher I can read making the same
case? My feed is full of researchers saying how great this is, and how big an
accomplishment it was that Katie Moussouris and her team managed to pull it
off after Microsoft publicly declared itself opposed to bug bounties.

The work required to build reliable exploits against hardened Windows can take
months. Why shouldn't researchers be compensated for that work? If you don't
want to accept payment for it, that's fine; don't. But why is it bad for other
people to do so?

~~~
ihsw
I'm not arguing about compensation, I'm arguing about public safety. People
and organizations selling exploits are effectively complicit in the damage
resulting from their sales.

~~~
tptacek
These are people selling vulnerability research to the only company in the
world that is capable of effectively fixing those vulnerabilities.

~~~
ihsw
That's exactly my point, which is why it's dangerous. If the exploits were
made public as soon as possible (full disclosure) then MS will have incentive
to release bugfixes as soon as possible to the general public.

~~~
tptacek
If you want to release your vulnerabilities publicly, Microsoft isn't stopping
you.

~~~
dvmmh
By taking the cash, I am sure you are bound by secrecy enforced by jail time.
I see these increased payments as hush money to keep researchers quiet while
they feed them to the NSA for zero day exploits.

~~~
sliverstorm
Why would Microsoft sell the NSA exploits some black hat came up with against
_their own operating system_? They can just install a backdoor.

~~~
davorak
They do not have to pay a programmer to put in a back door who may one day
talk about it. Fewer people need to know about the program in general.

By default a naturally occurring exploit probably upon inspection looks less
intentional then one put there on purpose.

~~~
danielweber
_Fewer people need to know about the program in general_

. . . except for the outsider who mailed them about it and got paid a chunk of
money as a result.

~~~
davorak
This person would just be reporting a exploit and and getting paid for it.

They would not know about the program which takes that exploit and then gives
it to the NSA.

~~~
sliverstorm
And why would a programmer know it was for the NSA? Just tell your underling,
"We need a backdoor for <Plausible reason>"

------
huxley
Hopefully it drives the right behaviour.

[http://search.dilbert.com/comic/10%20Dollars%20Bug%20Fix](http://search.dilbert.com/comic/10%20Dollars%20Bug%20Fix)

~~~
dennisgorelik
How did you find such an old comic on Dilbert?

~~~
huxley
It wasn't hard, it was one of the better ones from back when I still read
Dilbert, so it stuck in the sieve that is my mind.

Searching for Dilbert bug bounty brought it up in the top results.

------
InternalRun
I think this is great, nice to finally see microsoft following suit.

------
gesman
Someone should start an auction side with one seller (discoverer of
vulnerability) and two buyers: Ballmer on one side and blackhatters on the
other.

This would make things fair.

~~~
throwaway10001
Assuming that's legal. I know bugs are sold, sometime openly, but it depends
on how FBI wants to see it.

~~~
tptacek
It's probably not legal to knowingly sell an exploit to someone that a
reasonable person would believe was going to use it to commit a crime.

~~~
iy56
Solution: anonymous buyers.

~~~
gesman
Yup. Anonymous buyers vs. MSFT. Or else! Ballmer cannot dictate his own prices
for hot commodity.

If he is smart enough to hire cheapo programmers and suppress creativity and
initiative, he has to pay for his technical debt to clean the mess up.

~~~
throwaway10001
It's all anon, fun and games until the SWAT team shows up :-)

In all seriousness, any package as complex as Windows and Office is bound to
have bugs, many, many bugs.

------
djcapelis
Hmm, the 30 day window for IE11 attacks seems a bit small if they want someone
to be able to do a solid job at developing an exploit. I mean it's doable of
course, but for 11k working on that short of a timeframe might not be terribly
attractive to some of the better folks in the industry.

------
bluepanda_
$150 for mitigation bypass and a defensive solution? That's one way to make an
annual salary.

~~~
lawnchair_larry
Yeah, but people who can deliver this already make that much at a day job.

It's appears to be a lot better than their blue-hat prize, which was crowd-
sourced spec work and they kept rights to all of the submissions, despite not
paying for any beyond the top two or three.

~~~
bluepanda_
Indeed, there is progress for whoever finds these vulnerabilities. And I'm
sure they wouldn't mind doubling their salary.

------
Ziomislaw
do they want to go bankrupt? ;)

~~~
fixxer
This had me rolling!

------
bediger4000
How much does Microsoft get from the US government for those same
vulnerabilities? More or less than what they pay the outside researchers? Are
the "direct cash payments" tax-deductible? Is the government money taxable or
not?

Now that we know Microsoft passes vulns along to the NSA, this looks a lot
different.

~~~
tptacek
Can you find a single professional vulnerability researcher --- many of whom
are openly critical of Microsoft --- that agrees with this point of view? Or
are you just trying to connect every pair of dots you can find?

Another thing to note: when you claim a bounty for a vulnerability from
Microsoft, you can be pretty confident that the vulnerability will at some
point be fixed. When you sell it to a government yourself, the opposite is
true.

~~~
benregenspan
I don't see what's wrong with speculating about this. It seems to be a
completely valid concern given the recent news that Microsoft has, in the
past, shared 0-days with the NSA. It is not an outlandish conspiracy theory to
think that, after being informed of a vulnerability, Microsoft could pass it
on to intelligence agencies in advance of Patch Tuesday, giving them up to 2
weeks' time to make use of the exploits. "Past behavior is the best predictor
of future behavior", and all that.

[edit]Link for reference, if anyone missed that particular news:
[http://www.bloomberg.com/news/2013-06-14/u-s-agencies-
said-t...](http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-to-swap-
data-with-thousands-of-firms.html) [/edit]

~~~
tptacek
Microsoft passes information about vulnerabilities to all sorts of companies
prior to Patch Tuesday, not just government agencies. That's not news; it only
seems like news because the people paying attention to the NSA stories don't
generally pay attention to how security patch management works.

NSA does not need Microsoft's help to break into Windows boxes.

What's wrong with speculating that the Microsoft Bug Bounty is an NSA-
influenced plot to funnel zero-day to the government is that that's a stupid
conspiracy theory. It's elaborate and complicated in ways that the NSA doesn't
need to deal with. It also casts aspersions on the people at Microsoft --- who
are actual people who you can actually talk to --- who worked very hard to
make this program happen after Microsoft spent years being criticized for not
doing this.

~~~
benregenspan
"Redmond, Washington-based Microsoft (MSFT) and other software or Internet
security companies have been aware that this type of early alert allowed the
U.S. to exploit vulnerabilities in software sold to foreign governments,
according to two U.S. officials"

From this and other assertions made in the Bloomberg piece, it seems very fair
not to read this as conventional patch management, but as a special
arrangement with intelligence agencies. And to read this as, yes, from time to
time Microsoft's help _does_ get the NSA into Windows boxes.

Now, we all know that tech reporting often leaves something to be desired. If
you're saying the officials were wrong or quoted out of context, then that's
fine. But it's not reasonable to dismiss this out of hand as some outlandish
Alex Jonesian conspiracy theory.

BTW, obviously I'm not saying that Microsoft's bug bounty program is an NSA
plot. It's a good program that every major company should have. I'm also not
saying that they don't share bugs with other partners ahead of time, they
obviously do. Just that from what the sources in this article (which again,
did not originally appear on infowars.com) say, Microsoft does have a special
arrangement with intelligence agencies and from time to time has shared bugs
knowing they might be exploited by said agencies. The bug bounty program could
find the sort of bugs that would (incidentally) be shared as part of this
arrangement.

------
ivabz
Seems like the Microsoft has already backed from its offering, The post has
been removed from their website.

~~~
jacalata
Works for me.

