I wonder what impact this will have on open source software (OSS).
OSS can't afford to pay people to look for bugs and improve the overall software. But commercial companies can.
I wonder if there will exist a date/time in the future where closed-source software, because of these bug bounties, will yield better (less buggy) software vs OSS.
Similar behaviors likely exists in OSS they are just called different things.
For example, ACME Co uses open source project XYZ. Acme Co uses resources to make sure that XYZ is secure and bug free. Acme Co is then incentivized to contribute any changes they have found, because they would like to stay in sync with the master branch of XYZ so they can get any updates the community pushes.
In the case of OSS, the pool of resources is likely far bigger than with closed source software.
Well, the kernel, right? Many many major corporate contributors. Kind of the opposite of OpenSSL, I guess, which everyone uses and no one seems to maintain.
On the other side, e.g. Egor Homakov hacked GitHub a few times through vulnerabilities in Rails. GitHub paid him bounties anyway. I'm no expert, but it appears to me that at times it does work, just not always.
Well I think the source code is included (since it's Ruby, but encrypted) with the Github Enterprise image. But that's "source code available", not "open source" (ie, under a copyleft license)
> But that's "source code available", not "open source" (ie, under a copyleft license)
It's proprietary. Also, there are many free software (or "open source" if you prefer) licenses that are not copyleft. MIT, Apache, Revised BSD, zlib, etc are all examples.
You say that like Heartbleed was the end of the story. Since then, "the Linux Foundation launched the Core Infrastructure Initiative (CII) as a way of getting resources to those projects. That has helped OpenSSL, among others, to get back into a healthy state." which includes a ton of funding from many companies that depend on OpenSSL like AWS, Google, Intel, Microsoft.
If you think about it, it was always that way. However, a lot of companies that depend upon open source software also invest on it, so it also gets a reasonably good number of eyes trying to fix bugs and add features.
> OSS can't afford to pay people to look for bugs and improve the overall software. But commercial companies can.
Software insurance companies can invest a part of the insurance premium on OSS in bug bounties. It’s a shame more people aren’t aware of software insurance, since OSS has several advantages in this area, for example that the source code is available to everyone, such that insurance companies can pay everyone in the world to find bugs in the software they’re insuring.
That’s a definite advantage. It’s not often that an insurance company has the opportunity to invite everyone in the world to help them assess the quality of what they’re insuring.
The average OSS project probably is better about that than the average software company though - at least with OSS projects you can be reasonably secure that they won't send lawyers or the police after you for finding bugs.
It is also easier for an outsider to figure out where to report the bug.
I had a bug using NLTK to display parse trees in Jupyter notebooks. NLTK uses tkinter to render the parse trees to PostScript and GhostScript to produce a png image. The chain broke when the PostScript output had a font size of 0.
If this had been a bug in a closed-source program, all I could have put in a bug report would have been "doesn't work, pls fix".
Instead, I could submit a workaround to NLTK and start looking for the reason tkinter generated malformed PostScript output. This turned out to be because Tcl/Tk's font handling used Xft, which used FontConfig, and used an integer for the font size where FontConfig expected a double. Everything worked fine until FontConfig started doing floating point math on the font size. The Tk maintainer who triaged my bug report couldn't even reproduce it on his system, because his version of FontConfig only ever copied the value.
Only because every component of the chain was open source, was it possible to track the bug down and fix it.
It seems like this might be in part balanced by the fact that it's much easier to find vulnerabilities in open source software, since it's open source.
It's doable, but if you're good enough to somewhat routinely find bounty-worthy bugs but not spooky good at it, it's not the most lucrative way to put bug-hunting skills to work.
I've noticed a spike recently in bug bounties going to people who using a combination of fuzzing and code analysis tools. It may be that we're moving to a point where bug-hunters' ability to use sophisticated tools will be what earns them the most money, rather than their ability to eyeball code and see the bugs.
Speaking just for myself: A few years ago I was saying "I should really set aside a few months to learn to use fuzzing tools"; now I'm saying "it's easier to just offer bounties and let someone else do the fuzzing for me".
There was this thing called "Hostile Subdomain Takeover" where a company would point a subdomain to a particular SaaS product (Say Zendesk), sometime later, they would cancel their subscription but not change the A record.
Someone could then go and register a new Zendesk account (If the service doesn't require proof of ownership of domain), and say that they want to use the same subdomain. Now they have a Zendesk account with the URL of http://help.somedomain.com as an example. And they can phish people quite easily.
Anyway, the reason I bring it up is because for a while, I saw people spamming the shit out of bug bounties with this stuff. Because it's super simple to do.
So I'm not sure what is more lucrative for an average joe, actually learning proper techniques or trying to piggy back on some low hanging fruit that may be easy to automate.
And even if you're "spooky good", you only really need to be spooky good for six - 12 months before something like Google Project Zero will pick you up to (in all likelihood) pay you far more anyway.
(1) You are effective at finding the specific kinds of vulnerabilities that the grey market actually purchases. People have _very_ weird ideas about what the grey market wants. In reality, if your bug isn't a drive-by clientside in a popular client, it is unlikely that anyone wants to buy it.
(2) You are willing to get your hands dirty with shady purchasers. If you're talented, you can make good money in the grey market, or you can retain plausible deniability about what your work is being used for, but you can't do both of those things.
That first case is really the limiting factor. And remember, if you can reliably sell bugs to the grey market, that strongly implies you have lucrative options in the legitimate market. Bug bounties are not the most competitive alternative to the grey market!
> In reality, if your bug isn't a drive-by clientside in a popular client, it is unlikely that anyone wants to buy it.
That sounds like black market buyers (maybe we disagree on where the "gray" line is). Governments are very interested in bugs that allow pivoting and lateral movement.
1. If you have to ask this question, you are quite far from being able to do it any time soon (and that's assuming you can find the vulnerabilities!),
2. You will predominantly sell your vulnerabilities, preferably weaponized as complete exploits, to firms that specialize in "vulnerability research" and "exploitation development" with close ties to government agencies.
It's much easier to find a firm that can act as a broker between you and the government agency than it is to knock on the right doors to sell it on your own, with no background or prior contact.
I've looked at dartknet markets. Quite often, there are vulnerabilities advertised for thousands or tens of thousands of dollars. And quite often, they claim to be an exclusive sale (ie, they'll take it down after one purchase).
And quite often, they will be relisted for months at a time. I'm not at all saying there's no market - we clearly know that a remote code exec on a common server will sell well.
Things like "Microsoft Word Exploit" seem a lot more like Duff beer - I'm often hearing how much they are "for sale" for a fortune but I'm not convinced people are getting the significant sums people refer to on a reliable basis.
I wonder the same thing. The only downside I can see is that the more days that go by while bug-hunting, the more anxious I'll get about not having a consistent biweekly paycheck. It would be a very results-driven career à la sales, but I'm not sure I could take that stress.
If you are legitimately good enough, there are certainly companies out there who will pay you well and consistently to hunt for bugs/vulns.
> If a researcher reports a qualifying vulnerability already found internally by Microsoft, a payment will be made to the first finder at a maximum of 10% of the highest amount they could’ve received (example: $1,500 for a RCE in Edge, $25,000 for RCE in Hyper-V)
Wow. I guess this kind of functions as hush money? To make sure they don't reveal the issue before MS patches it. But still, this seems like a good move.
It also encourages researchers to do research, by making it less likely they'll do a pile of research only to be told "sorry, we already found this, you get nothing". Right now, pursuing a bounty is a risky proposition; this makes it less risky.
I wonder how often it happens that a company lies (or stretches the truth) about already knowing about a vulnerability to avoid paying a bounty. If it happens even sometimes, the 10% might provide additional incentive for researches to target Microsoft. Even if they don't get a full payout, at least they get something.
I very much doubt they would lie about it; but if the amount in question was so little that they wouldn't care about it, they would just pay the full price.
Microsoft is composed of people. The people we worry about here, are the ones who might be incentivised to discover exploits before an outsider. They would have an incentive to back-date their work, or their subordinate's work.
They're not stupid. If they cared so much more about pinching every last dollar than about security, they wouldn't have launched the bug bounty program at all.
BTW, as others have mentioned, this is strictly better than the policy of other bug bounties until now, which is "We already found this, so you get nothing"
I still consider these fees way too low. I understand there are not too many legal buyers for Windows bugs, but wonder whether it is more profitable from a financial pov to just disclose bugs as an upfront investment and wait for a PR disaster to have some actual leverage to negotiate fair prices.
Sorry, I mean the next time around, e.g if you are sitting on a couple of exploits.
250k is like the salary of a random manager, for me it really puts into perspective the strong commitment to security when they offer 15k (a monthly paycheck) for a rce in Edge potentially affecting millions of computers. Nevermind the fact finders are at the mercy of MS who can award whatever they want or simply claim it was found internally.
Overall, I feel this is a good move by Microsoft. Admittedly from their side, they won't (or cannot) cover all security holes from their system. Asking help from external sources and rewarding them appropriately is also good, allowing them to patch their system. In turn, end users will (hopefully) get an OS that is secure. Win for everyone. Way to go MS!
Every time you compare a bug bounty payout to the price of vulnerabilities on the open market, tptacek dies a little inside. Please, think about poor Thomas.
Which is actually sort of a worst-case scenario (not that I think this bounty is bad), because NSA's primary objective is in fact not to hack all your Windows machines, or even to hack anyone's Windows machine. NSA's primary objective is to secure more budget/headcount for NSA.
While that's true, the NSA's secondary objective is to be the only people who have an arsenal of exploits. Since they have the largest budget, having the price of exploits go up only helps this goal.
Right. I don't think bounties like this alarm NSA in any way. In fact, since NSA probably believes it has a practically unlimited capability of acquiring Windows vulnerabilities, the bounty probably helps, by taking the heat off them and the intractable notion of a "vulnerability equities process".
I think it's more important to remember the NSA's primary goal in other security conversations. What you really don't want to do is propose protocols that leave plausible-but-difficult attack vectors for NSA, because "plausible-but-difficult" is probably inscribed in Latin on some seal somewhere in Ft. Meade.
I bet the NSA can and would pay a billion dollars for an exploit that was worth it, but other nation-states would be shut out from bidding simply because they couldn't even if they wanted to.
It would taken an extraordinary exploit to be worth that much, but imagine a flaw in some weapons platform used by an aggressor that's impractical or impossible to patch and allows for remote code execution. If the US was trying to fend off an attack, or was embroiled in a conflict where this would be an invaluable asset, could end the conflict overnight, they'd pony up.
Like if it could allow them to hack the enemy's radar system to render allied jets invisible, or could corrupt the firmware in anti-aircraft missiles to make them always miss their targets, that would be worth a billion. If it prevented the loss of a few high-value planes it'd pay for itself instantly.
Usually you can get more money for exploits on the black market, than from bug-bounties. Governments from all around the world have a lot of money to spend to buy exploits.
People keep saying that but is it true? There are some problems;
1. The seller would like to keep their identity secret so that they aren't prosecuted or attacked.
2. The buyer would also like to keep their identity secret.
3. The seller wants money. How do they know that the buyer will send them the money if they hand over the exploit before getting paid? Normally you'd report theft to the police but you're not going to go to the police and admit to selling exploits. Also you don't know who the seller is.
4. The seller wants the exploit. If they pay first then how do they know they will get the exploit.
If you contact some agency directly then surely they will not want to pay you out of fear that you will inform either the public or another government or agency about the transaction?
If there was a darknet marketplace for exploits (maybe there already is, maybe there already are several ones?) then that might solve it. There you can have both some degree of anonymity, you can have reputations for sellers and buyers and the DNM can offer escrow of funds.
Edge is Microsoft's primary browser. One of the selling points of a browser is security. From their perspective it makes total sense to make sure it's secure.
If Edge would be a more responsive on tab-switching and would have devtools on par with Chrome I would use it and I guess a lot of others would too. It's going to the right direction.
I reported an information leakage from password fields in Windows some moons ago (ctrl arrow would stop between different character classes in modern Windows style password fields.)
I don't think this was a big find but I remember I was still somewhat underwhelmed by the response.
IIRC articles have been posted on HN about this but I don't recall what they were exactly. Also not sure how accurate this [1] is and if it reflects actual security/breaches/... per user, but it does give an indication the OP's feeling might be correct, seeing statements like In 2015, according to the NVD, OSX had the most vulnerabilities, followed by Windows 2012 and Ubuntu Linux. And here [2] it's also at the top and Windows 10 is mentioned as well, but it was quite young then. Similar in 2016 [3]
Nice. now can we please have a way of reporting phishing/malware hosted on Microsoft services (Onedrive, hosted Sharepoint, Azure, etc)? I have reported a few of these to Microsoft's CERT team and they just seem to get ignored.
Its about time. I hope the incentives stay strong enough, and dont require hoops to jump through. otherwise the gray/blackmarkets could out-bid the bounty and cut the red tape to incentivise their own acquisition of the exploits in question.
Much respect to Microsoft and their new found love of bounty programs, but pioneer is a bit of a stretch - they launched their first bounty program in 2013, well after third party bug bug buyers like ZDI, and even after BugCrowd and other bug bounty as a service companies launched.
Not complaining, but technical question: how did that get a downvote when it was 3 minutes old? I have a 5 minute delay configured!
I saw "0 points"; then refreshed browser; still said "3 minutes ago". Rubbed eyes, checked profile settings: "delay 5" still configured.
"delay" is a profile parameter which specifies the number of minutes which elapse from when you initially create a comment to when it becomes published. This gives you a chance to edit or retract your comment before it is subject to public criticism. I've never before seen a voting or reply event occur on a comment prior to the expiry of the delay.
(Maybe some clocks are way out of sync between some distributed servers, so 3 minutes old here means 5 minutes old there? Or maybe NTP suddenly stepped a lagging wall clock forward by a couple of minutes?)
To the topic: how much $ can I get out of this? ;)
>Any critical or important class remote code execution, elevation of privilege, or design flaws that compromises a customer’s privacy and security will receive a bounty
Windows 10 has a major design flaw which compromises your customers privacy and security. You call it Telemetry and it can't be disabled completely(definitely a bug! Nobody would make such a stupid decision, amiright?).
Please send me further instructions on how I can claim my 250k.
I'd say the real issue is that Windows 10 not only defaults to having telemetry turned on, but that it also does not allow a system administrator to turn it completely off.
However, I would agree that if preferences are changing without user intervention, that would definitely be a problem.
I haven't heard about users having that problem and can't find examples of it happening on the web. Do you have a citation?
Windows servers are legacy - even SQL Server is on Linux now...ok jokes aside - might be PR move to not make nervous their old-school corporate customers
There are threads where it would be relevant, in this case they're just using this thread as a sounding board because the title contains the word Microsoft. Plus we have all read near identical posts and the corresponding discussion hundreds of times already, because they appear in every thread that brings up Microsoft.
It is kind of like Godwin's law, except instead of Hitler it is telemetry and Microsoft. If there is new information or new things to discuss, absolutely let's talk about it, but repeating the same complaint gets old after the nth time.
OSS can't afford to pay people to look for bugs and improve the overall software. But commercial companies can.
I wonder if there will exist a date/time in the future where closed-source software, because of these bug bounties, will yield better (less buggy) software vs OSS.