
Announcing the Windows Bounty Program - el_duderino
https://blogs.technet.microsoft.com/msrc/2017/07/26/announcing-the-windows-bounty-program/
======
tiffanyh
I wonder what impact this will have on open source software (OSS).

OSS can't afford to pay people to look for bugs and improve the overall
software. But commercial companies can.

I wonder if there will exist a date/time in the future where closed-source
software, because of these bug bounties, will yield better (less buggy)
software vs OSS.

~~~
kazinator
To begin with, some OSS doesn't even know how to _treat_ people who report
bugs.

~~~
detaro
The average OSS project probably is better about that than the average
software company though - at least with OSS projects you can be reasonably
secure that they won't send lawyers or the police after you for finding bugs.

~~~
yorwba
It is also easier for an outsider to figure out where to report the bug.

I had a bug using NLTK to display parse trees in Jupyter notebooks. NLTK uses
tkinter to render the parse trees to PostScript and GhostScript to produce a
png image. The chain broke when the PostScript output had a font size of 0.

If this had been a bug in a closed-source program, all I could have put in a
bug report would have been "doesn't work, pls fix".

Instead, I could submit a workaround to NLTK and start looking for the reason
tkinter generated malformed PostScript output. This turned out to be because
Tcl/Tk's font handling used Xft, which used FontConfig, and used an integer
for the font size where FontConfig expected a double. Everything worked fine
until FontConfig started doing floating point math on the font size. The Tk
maintainer who triaged my bug report couldn't even reproduce it on his system,
because his version of FontConfig only ever copied the value.

Only because every component of the chain was open source, was it possible to
track the bug down and fix it.

------
crsv
With the increasing number and value of these bounty programs, how viable is a
career in professional free lance security bug hunting?

~~~
tptacek
It's doable, but if you're good enough to somewhat routinely find bounty-
worthy bugs but not _spooky_ good at it, it's not the most lucrative way to
put bug-hunting skills to work.

~~~
cperciva
I've noticed a spike recently in bug bounties going to people who using a
combination of fuzzing and code analysis tools. It may be that we're moving to
a point where bug-hunters' ability to use sophisticated tools will be what
earns them the most money, rather than their ability to eyeball code and see
the bugs.

Speaking just for myself: A few years ago I was saying "I should really set
aside a few months to learn to use fuzzing tools"; now I'm saying "it's easier
to just offer bounties and let someone else do the fuzzing for me".

~~~
mindingdata
There was this thing called "Hostile Subdomain Takeover" where a company would
point a subdomain to a particular SaaS product (Say Zendesk), sometime later,
they would cancel their subscription but not change the A record.

Someone could then go and register a new Zendesk account (If the service
doesn't require proof of ownership of domain), and say that they want to use
the same subdomain. Now they have a Zendesk account with the URL of
[http://help.somedomain.com](http://help.somedomain.com) as an example. And
they can phish people quite easily.

Anyway, the reason I bring it up is because for a while, I saw people spamming
the shit out of bug bounties with this stuff. Because it's super simple to do.

So I'm not sure what is more lucrative for an average joe, actually learning
proper techniques or trying to piggy back on some low hanging fruit that may
be easy to automate.

~~~
thaumasiotes
This is definitely still a thing.

------
strictnein
> If a researcher reports a qualifying vulnerability already found internally
> by Microsoft, a payment will be made to the first finder at a maximum of 10%
> of the highest amount they could’ve received (example: $1,500 for a RCE in
> Edge, $25,000 for RCE in Hyper-V)

Wow. I guess this kind of functions as hush money? To make sure they don't
reveal the issue before MS patches it. But still, this seems like a good move.

~~~
JoshTriplett
It also encourages researchers to do research, by making it less likely
they'll do a pile of research only to be told "sorry, we already found this,
you get nothing". Right now, pursuing a bounty is a risky proposition; this
makes it less risky.

~~~
strictnein
Yeah, good point. "Hush money" may have been a little too harsh.

------
keithnz
I find the wording of this odd? they have had a bounty program for ages?

the list of active bounties is here [https://technet.microsoft.com/en-
us/security/dn425036](https://technet.microsoft.com/en-us/security/dn425036)

~~~
unhinged_wanker
It's more of a scope and payout change than a brand new program.

------
a_imho
I still consider these fees way too low. I understand there are not too many
legal buyers for Windows bugs, but wonder whether it is more profitable from a
financial pov to just disclose bugs as an upfront investment and wait for a PR
disaster to have some actual leverage to negotiate fair prices.

~~~
romanovcode
If the PR disaster already happened why would they pay you? Makes no sense.

~~~
a_imho
Sorry, I mean the next time around, e.g if you are sitting on a couple of
exploits. 250k is like the salary of a random manager, for me it really puts
into perspective the _strong commitment to security_ when they offer 15k (a
monthly paycheck) for a rce in Edge potentially affecting millions of
computers. Nevermind the fact finders are at the mercy of MS who can award
whatever they want or simply claim it was found internally.

------
AngeloAnolin
Overall, I feel this is a good move by Microsoft. Admittedly from their side,
they won't (or cannot) cover all security holes from their system. Asking help
from external sources and rewarding them appropriately is also good, allowing
them to patch their system. In turn, end users will (hopefully) get an OS that
is secure. Win for everyone. Way to go MS!

------
monocasa
It's good to see the bounties increasing to the range you could get on the
open market.

~~~
Analemma_
Every time you compare a bug bounty payout to the price of vulnerabilities on
the open market, tptacek dies a little inside. Please, think about poor
Thomas.

~~~
tptacek
A lot of the high-dollar bugs Microsoft is soliciting here actually do have
grey-market value.

------
ourmandave
That max hyper-v payout of $250,000 reminds me of the TV Trope _Just Cut Lex
Luthor a Check_

[http://tvtropes.org/pmwiki/pmwiki.php/Main/CutLexLuthorAChec...](http://tvtropes.org/pmwiki/pmwiki.php/Main/CutLexLuthorACheck)

~~~
legulere
Usually you can get more money for exploits on the black market, than from
bug-bounties. Governments from all around the world have a lot of money to
spend to buy exploits.

~~~
SingletonIface
People keep saying that but is it true? There are some problems;

1\. The seller would like to keep their identity secret so that they aren't
prosecuted or attacked.

2\. The buyer would also like to keep their identity secret.

3\. The seller wants money. How do they know that the buyer will send them the
money if they hand over the exploit before getting paid? Normally you'd report
theft to the police but you're not going to go to the police and admit to
selling exploits. Also you don't know who the seller is.

4\. The seller wants the exploit. If they pay first then how do they know they
will get the exploit.

If you contact some agency directly then surely they will not want to pay you
out of fear that you will inform either the public or another government or
agency about the transaction?

If there was a darknet marketplace for exploits (maybe there already is, maybe
there already are several ones?) then that might solve it. There you can have
both some degree of anonymity, you can have reputations for sellers and buyers
and the DNM can offer escrow of funds.

------
jumpkickhit
Bounties for Edge? Isn't it less than 5% in browser market share?

I like the fact they're offering a bounty program, I'm just surprised Edge was
included I guess.

~~~
Kipters
Edge is also behind webviews in UWP apps, also WWAHost [0] apps and Store-
delivered PWAs [1] will run in Edge

[0]: [https://blogs.windows.com/buildingapps/2015/07/06/project-
we...](https://blogs.windows.com/buildingapps/2015/07/06/project-westminster-
in-a-nutshell/#m0ES62MW4DrQdB8L.97)

[1]: [https://developer.microsoft.com/en-
us/windows/projects/event...](https://developer.microsoft.com/en-
us/windows/projects/events/build/2017/progressive-web-apps-and-the-windows-
ecosystem)

------
eitland
I reported an information leakage from password fields in Windows some moons
ago (ctrl arrow would stop between different character classes in modern
Windows style password fields.)

I don't think this was a big find but I remember I was still somewhat
underwhelmed by the response.

------
grandalf
I've come to feel that a Windows 10 machine is more secure than an OSX
machine, all else being equal.

~~~
xlocicicig
That's interesting. Care to elaborate?

~~~
stinos
IIRC articles have been posted on HN about this but I don't recall what they
were exactly. Also not sure how accurate this [1] is and if it reflects
_actual_ security/breaches/... per user, but it does give an indication the
OP's feeling might be correct, seeing statements like _In 2015, according to
the NVD, OSX had the most vulnerabilities, followed by Windows 2012 and Ubuntu
Linux._ And here [2] it's also at the top and Windows 10 is mentioned as well,
but it was quite young then. Similar in 2016 [3]

[1]
[https://community.rapid7.com/community/infosec/blog/2016/04/...](https://community.rapid7.com/community/infosec/blog/2016/04/20/using-
the-national-vunerability-database-to-reveal-vulnerability-trends-over-time)

[2] [https://venturebeat.com/2015/12/31/software-with-the-most-
vu...](https://venturebeat.com/2015/12/31/software-with-the-most-
vulnerabilities-in-2015-mac-os-x-ios-and-flash/)

[3] [https://www.cybrnow.com/10-most-vulnerable-os-
of-2016/](https://www.cybrnow.com/10-most-vulnerable-os-of-2016/)

------
xmodem
Nice. now can we please have a way of reporting phishing/malware hosted on
Microsoft services (Onedrive, hosted Sharepoint, Azure, etc)? I have reported
a few of these to Microsoft's CERT team and they just seem to get ignored.

------
oxide
Its about time. I hope the incentives stay strong enough, and dont require
hoops to jump through. otherwise the gray/blackmarkets could out-bid the
bounty and cut the red tape to incentivise their own acquisition of the
exploits in question.

~~~
tptacek
Microsoft has been doing this for a long time; they're one of the pioneers of
bounty programs.

~~~
ygjb
Much respect to Microsoft and their new found love of bounty programs, but
pioneer is a bit of a stretch - they launched their first bounty program in
2013, well after third party bug bug buyers like ZDI, and even after BugCrowd
and other bug bounty as a service companies launched.

~~~
tptacek
I feel like Katie Moussouris switched from SDL to bug bounty stuff at MSFT in
like 2011, but I may have the dates fuzzed up a little bit.

Really the only point I want to make is that this is not Microsoft announcing
their first bounty program.

------
Principe
Damn. $250k for a RCE bug in Hyper-V. If that's on the legit market, I can't
even imagine what it would sell for elsewhere.

------
seanhandley
Wow. About time.

------
kazinator
> _Bounty payouts will range from $500 USD to $250,000 USD_

I will need some $25K in cash upfront to be convinced to _start_ using Windows
10.

~~~
kazinator
Not complaining, but technical question: how did that get a downvote when it
was 3 minutes old? I have a 5 minute delay configured!

I saw "0 points"; then refreshed browser; still said "3 minutes ago". Rubbed
eyes, checked profile settings: "delay 5" still configured.

"delay" is a profile parameter which specifies the number of minutes which
elapse from when you initially create a comment to when it becomes published.
This gives you a chance to edit or retract your comment before it is subject
to public criticism. I've never before seen a voting or reply event occur on a
comment prior to the expiry of the delay.

(Maybe some clocks are way out of sync between some distributed servers, so 3
minutes old here means 5 minutes old there? Or maybe NTP suddenly stepped a
lagging wall clock forward by a couple of minutes?)

To the topic: how much $ can I get out of this? ;)

------
v4n4d1s
Dear Microsoft

>Any critical or important class remote code execution, elevation of
privilege, or design flaws that compromises a customer’s privacy and security
will receive a bounty

Windows 10 has a major design flaw which compromises your customers privacy
and security. You call it Telemetry and it can't be disabled
completely(definitely a bug! Nobody would make such a stupid decision,
amiright?).

Please send me further instructions on how I can claim my 250k.

Also: Why is there nothing for Server 2016?

~~~
43gg43g32g
Don't know why you got downvoted for this on a hacker forum.

~~~
devrandomguy
From the site guidelines
([https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)):

> Please avoid introducing classic flamewar topics unless you have something
> genuinely new to say about them.

For the record, I'm not the one who downvoted the parent for an honest
question.

