

Microsoft Threatens Bountii for Exposing Bing Cashback Flaw - litzpa
http://bountii.com/blog/2009/11/07/surrendering-to-microsoft-and-bing-cashback/

======
awa
Shouldn't the author have first contacted MS letting them know of the flaw and
making a post (and taking the credit) after they have fixed the flaw. That is
what I have seen happen in the past when the DNS flaw was discovered and also
recently when the Twitter XSS vulnerability was found.

~~~
Afton
This is considered standard. You only go public with a live exploit if the
company shows no interest in fixing it. The author receives no sympathy from
me on this.

~~~
holdenk
Regardless of if what the author did is deserving of sympathy, I think most of
us can agree that the correct course of action is fixing the security bug
rather than trying to cover it up. I mean we all know how well that works.

------
markerdmann
The original post can be found in this Google cache:

[http://74.125.155.132/search?q=cache:3hxOgSPu460J:bountii.co...](http://74.125.155.132/search?q=cache:3hxOgSPu460J:bountii.com/blog/+breaking+bing+cashback&cd=17&hl=en&ct=clnk&gl=us&client=firefox-a)

If that doesn't work, the text has also mysteriously made its way into this
EtherPad:

<http://etherpad.com/0feqRE5pmE>

~~~
paulgb
For extra irony, the post is also available from Bing`s cache:

[http://cc.bingj.com/cache.aspx?d=4879267570255838&mkt=en...](http://cc.bingj.com/cache.aspx?d=4879267570255838&mkt=en-
CA&setlang=en-US&w=90157511,9ea4ebc5)

~~~
GrandMasterBirt
KA-POW!

Feels like that episode of family guy (post-apocalypse) when the town destroys
all weapons only to be destroyed by mutated stewies.

------
tptacek
Wow. Weird. You can drop a zero-day remote vulnerability in Vista and not get
a C&D. The MSN people must be touchy.

~~~
ComputerGuru
Because here Microsoft loses Money. A Vista Remote Vulnerability means
Microsoft's customers lose money. :P

~~~
tptacek
Microsoft loses a shit-ton of money on OS vulnerabilities.

~~~
rbanffy
Care to explain that?

Because their only important clients - those responsible for about 90% of
their revenue (Acer, Lenovo, HP, IBM and Dell) - are still buying lots of
licenses.

~~~
tptacek
Think about how many people have to work, and for how long, on every OS fix
Microsoft publishes, and you have a starting point.

~~~
rbanffy
I gather that's a high multiple of what was saved in quality assurance.

Sometimes, software QA is a gamble. You don't spend all the money you need to
make 100% perfect software, expecting to pay for the correction of all bugs
that are discovered and that cost you money in support calls, lost business
and lawsuits. Mind you - most of the support calls are to their OEMs.

~~~
tptacek
Microsoft spends huge on QA. Unusually so. Google "Microsoft QA ratio" for
starters. That has nothing to do with security. QA doesn't find security bugs,
because security bugs are different from normal bugs: they're only possible
under subtle adversarial conditions.

~~~
rbanffy
It's not about how much you spend. It's the result you achieve.

It seems the architecture of Windows and its backward compatibility are a
growing burden on Microsoft's shoulders.

The sad truth in software business is that you don't have to make your product
robust enough to last forever, just long enough for you to pocket your bonus
and retire.

I also have a problem with the idea that security bugs are not ordinary bugs.
Bugs are parts of the program that don't do what should be done, be it about
crashing, corrupting data or handing over the keys to your kingdom, they are
still bugs and should be detected and corrected.

~~~
tptacek
"I have a problem with the idea that security bugs aren't ordinary bugs, [...]
becase they are still bugs and should be detected and corrected".

You just said absolutely nothing about security flaws OR QA. You want to try
again? Because I think all you've got here is, "bugs should get fixed". Yeah,
you got me there.

~~~
rbanffy
"Microsoft spends huge on QA" and "QA doesn't find security bugs" are things
you said.

If their QA can't find security bugs, then, perhaps, they should rethink what
software quality means to them. Remember: even if bugs costs them millions of
dollars, they cost even more to their customers.

~~~
tptacek
Ricardo, can you point me to the security flaws you've discovered and
documented? I looked you up on LinkedIn, and you have a long resume in
software development --- but no apparent experience whatsoever in software
security.

Your claims about QA and security are so wildly outside my own experience and
the general understanding of my field that I'm wondering where you get the
confidence to make them so forcefully. I've never met a QA team _anywhere_
that could reasonably be left responsible for testing software security.

~~~
rbanffy
I don't work with software security and have discovered absolutely no new
security flaws. I have, however, experienced many and created some in the long
career you refer to.

Still, none of the security problems I wrote into my code could be blamed on
highly adversarial conditions - all of them were plain bugs, places I forgot
to do something or when I trusted something one should never trust.

The fact you never met a QA team that could uncover security problems possibly
stem from them not looking into the code itself and never having the
responsibility of finding such problems. Validating compliance, correctness of
observed behavior and even user overall experience is also called quality
assurance, but it is, by no means, defining of the whole software quality
concept.

~~~
tptacek
As long as we're clear that by "them", I mean "a broad cross section of the
whole industry, from embedded infrastructure code to 'web 2.0'", and you mean
"the fictitious QA team that works the way I say QA teams do", then I think we
agree.

Because I'm telling you that you're wrong about the relationship between QA
and security in the real world.

~~~
rbanffy
I am deeply sorry you never met such a team. It's a most gratifying
experience.

------
mattmaroon
That Samir guy is pretty shady :)

Seriously though guys, glad to see you're doing well. I hope the publicity
nets you a traffic spike that results in more revenue than the $2k you could
have kept.

------
jsz0
The MS Cashback program is great. I don't think it's doing a thing to attract
people to Bing but I've used it to buy several Macs at a nice discount off
eBay. Thank you Microsoft.

------
kul
hmm, it may have been worth milking this for as much publicity as possible

------
Keyframe
Kind of a dick move by Bountii.

~~~
gbangbama
dick move indeed, he should have kept it to himself and friends and make as
much as he can from them or better yet hint a few cronies to make the easy
money as well. I'll be he was trying a little altruism only to encounter the
threat of a possible sentence. Bountii if you discover a loophole again email
me, i'll pay you for the tip. viabyte at yahoo dot com

