For sure. But then you need somebody with vision, that will spend extra money on research so that these kinds of bugs don't happen. Then a new "smart" CEO comes and slashes budgets. Everybody is happy, they have the same sales but lower costs. Then, after years, the bugs are found. Now it's too late. You have to allocate money to mitigate and on top of that you have to spend more money on research and then spend a little on bug bounties. It's too late to go back now.
The problem is how do you recognize a truly good CEO vs. a CEO that lowers costs and makes everybody happy.
Market pressure will always drive outcomes, so you have to incentivize for the outcome you desire. It's far from clear how to bias such speculative (no pun intended) future costs against immediate returns even if you could identify a truly good CEO.
Not necessary! Many CPU architectures and implementations were created by academic institutions, so nationalisation of this industry should be considered a possibility.
Market does not. CEOs are incentivized to please the markets and thus reduce investing at some point to prepare to exercise their stock options and sell. (There is plenty of discussion on what the exercise date should be and some people are pushing beyond 4 years for that reason.)
A lot of companies set a 4 year window for their CEOs. Funneling capital into research, displeases stock holders, as you show reduced earnings. Observe that markets care about steady earning growth; catching these things before they happen in general will not earn you points. That is a sad part of human psychology. Think as a metaphor that an average manager will ask how many bugs did this guy fix and not how many bugs and security issues did this guy caught or saved us from.
(See freaking Equifax -- https://www.marketwatch.com/investing/stock/efx -- they should have been out of business [my personal opinion]. Their stock price is fine. The only mistake of the CEO as far as SEC is concerned is he used inside information and sold.)
These bugs are probably most valuable against cloud providers (Where else do you get arbitrary code execution on a machine with other's valuable data on it?). Most cloud providers run Linux, not Microsoft (except Microsoft) and definitely not Apple.
The problem is that even if there is no practical exploit, you still have to patch. At our web company where there are no shared boxes we still spent untold resources upgrading kernels, rebooting servers, and then lost capacity due to performance degradations.
Infrastructure is normally patched and rebooted on a regular schedule, but when a bug like this hits and requires an off-cycle upgrade it's a big cost.
You're joking, right? Raspberry pi is a toy computer — which is entirely related to why it was unaffected by speculation leaks. It does not fulfill the same needs as full size x86 chips.
Meh. They got lucky because they didn’t use affected hardware due to valuing price over performance. It’s certainly not because of any brilliant insight or preventative measures they took.
I think Microsoft is trying to fill in a meaningful, yet tentative part of the pie. It wouldn't be right for them to put forward the full cost of every cloud company's potential losses.
At the same time it raises the stakes by begging the question for other cloud providers to fill in by asking "why isn't this higher?" So in that light, the number they've chosen may have served its purpose quite well, by encouraging others to think about what another massive 0-day CPU security flaw might cost them.
In the general case, yes, but there are specific cases --- and they are probably more common than you'd be comfortable with --- in which the answer is probably "no". It's legally very dangerous to sell a vulnerability to someone who is going to use it to break the law.
Not that I'd ever find something like Spectre but I would not want to sell it to people who use it to kill people. On the other hand, I'd like to get something for my work.
Also, I think the temptation to go black hat is a lot lower than if the choices were "nothing" vs "millions"
Well you can look at similar programs from Apple etc. and see how many takers they had. So while it's nice to imagine what "I" would do in such a situation it looks like people who actually can do this on average take the high $ payout route.
It has nothing to do with black hat btw. There are gov. agencies that will pay for this stuff.
Off-topic, but Snowden is seen as controlled opposition in a good amount of infosec circles -- the one's that aren't plugged into the infosec clique machine atleast. Not to defend the government, but Snowden was hyped up when in return his leaks brought us nowhere new, but giving the laymen new words to throw around.
How do you define “clean money”? Do you call government agency money “unclean”? I could easily see someone making that statement with justification, but your post is a bit vague so wanted to ask.
So in the context of your original post, with your provided definition now of clean money, can you clarify how the alternatives (selling to law enforcement / government, which is the most common alternative) would be “unclean”?
I was thinking alliterative being selling to say ... less legal minded folks, random dude on the internet. I don't know how likely it is you'll get in trouble, but if you do it might be an issue.
As for selling to another gov or law enforcement, how clean that money is will be relative to what your government thinks of your role. If you sell to say an unfriendly neighbor government, they're going to look at those proceeds a bit differently than say if you sold to THEM.
Clean for me is your likely local legal issues with the money, and/or your actions.
In the end though provided Microsoft isn't considered a terrible enemy by your local government, that probabbly is the cleanest way to sell, and IMO probabbly the safest morally IMO (granted morally and clean money might not always go hand in hand).
Sure, but why would you advertise to those people? There are many very talented people in parts of the world that aren't the premier market for their skills that accept much lower salaries for their skills, or are employed in other industries altogether. I wouldn't be surprised if the number of people that match that criteria and have security research experience is much higher than the number of people in Silicon Valley and the other 5-10 leading tech markets that have the requisite security experience.
The world is a big place, and I think exploring security is fairly attractive to the weekend warrior programmer that might find other work hard to come by.
Not subsidizing, I was talking about the income tax on the researcher. Something which affects the whole population. It’s like someone finding a bug in a paracetamol and government rewarding him by not taxing the money he received from pharma companies. Not a great analogy but you get my point.
The size does matter. The amount posted for bug bounties is usually pitifully low compared to the magnitude of the bug. If you've got money on your mind, there's pretty much no reason to fill a bug bounty for a large vulnerability when there's people that will pay ten or twenty times more for it.
People are downvoting Dylan but it'd be neat if for once someone could try answering, as specifically as they can, who exactly he would sell to to beat a bounty price.
Wow that was a very detailed look at how buying and selling of vulnerabilities work. Thank you for sharing. It's interesting how many different companies there are in the world and how they seem to have a Cooperative working agreement with each other if the price is right
Zerodium is a company that tries to make things as straightforward and above-the-table as possible, but there are other publicly known companies that are willing to play ball (or roll in the mud, if you see it that way), even though they keep a low profile. Believe it or not, selling such information actually isn't illegal, even if it leaves a bad taste in a lot of people's mouths.
If you're ready to cross the bridge from "providing info to companies that will likely sell it to repressive governments and surveillance agencies" to "I don't care where this goes, I just want the money under any circumstance", my understanding is that you'll end up having to do a lot of finagling, networking, and negotiating to get the information to the people who want it. I couldn't tell you much about this myself, but having known people who did some small-time floating around in the field, opportunities of the under-the-table type are pretty transient.
If I had the choice I would take 250k$ non-sketchy money from MS over any amount of xxx sketchy money from any other company. Yes, youcould get a lotmore money insome cases but MS will be the easiest way to get it.
It's not only that the money is sketchy, you'll most likely won't know who you are selling to and how it will be used. Conscience might bite you in the ass.
If you are selling a 0-day exploit on the black market for 7 figures, I am pretty sure you are already accepting that it is being used for evil and not bettering the world.
Not only that, but imagine how many services you and your family and friends use that could be compromised? It could end up costing you unless you and your family pull out of all your online services.
The ultimate irony would be if your bank(s) got compromised by your but and some of your money was lost.
Define sketchy. Is an israeli company who will be then reselling the exploit to all sort of law enforcement agencies from democratic countries and less democratic countries sketchy? It's certainly safe from a legal point of view.
So that they aren't paying out huge sums of money for trivial defects in fringe products. For example a userland defect in editing tools of Sharepoint is not going to be worthy of a $250,000 reward to MS.
They should broaden it to confidentiality or integrity breaches on CPU components that affect Windows-based products. That will cover more ground. Availability is important, too, but the other two are a nice start that won't break the bank with crashes or stalls. They might still pay for them but with less money.
Bug bounties are good but they wouldn't have prevented Spectre-Meltdown. The only way to prevent such a fiasco is for the bugs to never exist in the first place. The only difference bounties make is that hopefully vendors patch the issue before it becomes widely exploited. In the case of S/M, vendors got many months of notice and it was still a fiasco - that is the nature of software bugs.
For bugs to never exist in the first place? Let me put that one in the list of obvious things like “traffic accidents shouldn’t occur”, “drowning accidents shouldn’t occur”, “heart disease shouldn’t occur”.
I’m sure I missed something. Could you help me out ?
Meltdown/Spectre was not a "fiasco" due to Microsoft and Intel not finding out. It was "responsibly" disclosed to the companies, and there were multiple months to prepare a response. A bigger bounty would not change anything for Meltdown/Spectre.
It was a "fiasco" because it affected over 90% of all servers and laptops out there. And there was just no way to prepare enough of a response, while keeping it secret. For a few months, too few engineers knew about it for good mitigation development. Towards the end, as more people who needed to know were looped in, everyone could see it coming. The vulnerabilities, and mitigations, were just too big.
They wouldn't have prevented the bug, but they might have prevented the size of the fiasco, if they were found earlier, before everyone switched to vulnerable CPUs.
The offer is limit to bugs that are not already known to Microsoft or their partners, and they are not disclosing what these bugs are, and they are making no claim to have fixed them. I made a submission to Intel and others weeks after some were claiming to have mitigated this with small reductions in timer resolution, showing that the timer mitigation would not stop these vulnerabilities, no one would pay out, said they were already aware of it, have they informed the public, have they withdrawn their product, have their transitioned their user base to safer products??? No one is going to hand over their well documented exploits under such terms. Let them offer twice the reward for public disclosures of issues that they already know and have not fixed or not warned the public about, and then we might take their offer seriously.
I don't understand the disincentive you're describing. Unless you believe that Intel or Microsoft would lie about already knowing about a vulnerability --- which is extremely dumb, given how minimal the expense is, and how much publicity you'd immediately generate by going public --- then what's the risk?
Fact is they are still patching away! And yes I have seen no public disclosure on many of the problems. Try asking Intel for help, it is a brick wall. My guess is that they made a huge mistake, that they thought that high precision timers were needed, and they did not put the effort into otherwise fixing the problems. Lack of sharing probably made it much worse. They had still not addressed these at the public disclosure date. They either realized the mistake themselves or various people told them of their mistakes, and they were left with known vulnerable products on the market that they had no hope of fixing in a timely manner. At that point they could have advised their users to move to alternative products, e.g. Google had a head start, but that would likely have ended them, most people would not come back many months later when they claim to have fixed the problems, and that is a big expense for them! Another alternative was to take drastic coding measures, lfence branch paths, but at a high performance loss, they did not do that either, again who wants a slow product if the competition has not also taken the same action. The really kicker is people had been trying to get them to move on this for years and they had been resisting it strongly.
> Unless you believe that Intel or Microsoft would lie about already knowing about a vulnerability
Imagine they know of a vulnerability but believe that it's not practical to exploit, or something. Then someone comes along and demonstrates that it actually is practical to exploit. They could say, well, we knew about this already and didn't believe it's practical, so we're not paying you for it.
It can sometimes be hard to convince a vendor that a vulnerability is "their fault" and this policy only increases the difficulty.
If it’s not practical to exploit, why wouldn’t Microsoft disclose it publicly? I thought that the “best ethical practice” for vulnerability disclosure is to notify the vendor privately, then disclose publicly after some period of time if the vendor is uninterested or unresponsive, with the idea being that it’s safer in the long run for vulnerabilities to be publicly known than only known to a small number of parties (since some of those parties may be trying to exploit the vulnerability).
> If it’s not practical to exploit, why wouldn’t Microsoft disclose it publicly?
Because of the public?
If someone decides to try make a name for themselves by taking a shot at embarrassing MS/Intel/Linux/AMD/other which do you think will have more affect on public perception: intelligent, detailed discussion about practicalities and real world attack/defense profiles, or loud shouty "but what if" reporting carefully word to be as scary as possible?
My experience from being involved in a couple of them (though obviously not quite on the scale of Microsoft) is that people underestimate both the difficulty of running bug bounties and the average quality of submissions to them.
When I worked at Mozilla on the MDN team, for example, there was a lot of inevitable spamming of "security" bugs which basically boiled down to "MDN is a publicly-editable wiki and hosts code samples" (MDN also goes to some trouble to do that safely). The current bug bounty exclusions are still pretty broad as far as I can tell, and thankfully will automatically throw out a bunch of the worst of the spam.
Same thing happens still with Django. I've considered writing up something with similar exclusions to Mozilla's policy just because it would save time dealing with meaningless reports (though Django would get a few categories the Mozilla policy doesn't, like "it's not a vulnerability if the only person you can CSRF is yourself").
I've heard similar frustrations from bug-hunters before. I don't know enough to side with anyone, but it would be nice if there were some kind of oversight body for this sort of thing, an independent third party that offered some consistency in the experience.
We can use cryptography instead of 3rd parties to solve most of the trust problem. The companies publish encrypted documentation of a vulnerability so that when they claim a researcher has found something already known, they share the key to prove they already know it. A 3rd party might be useful in a complaint process where the researcher claims the two vulnerabilities are not the same. Given that is hopefully now a minority case, the researcher can resort to the court of public opinion.
It doesn't need to be a block-chain but I guess it would help create a tamper proof time ordered record.
> I [showed] that the timer mitigation would not stop these vulnerabilities
Yes, that was obvious to people with some background in this class of attacks. Good on you for figuring that out independently (seriously!), but you're not going to get a bounty for something widely known.
Ok, but if a working web browser POC is not worthy of a bug bounty reward, because they claim to already know, then what is the point of the bug bounty? Why are they not just paying for specialists to advise them on how to fix this if they have no plan. They don't even listen when you try and try and try to explained what needs to be done. How can a bug bounty fix this?
The point is that the vendor was claiming they had patched the flaw. They can't simultaneously claim to have a patch and that they know the patch doesn't fix it.
I hope that as time goes on we find the open source approach to crowdsourcing bugs is actually so much more viable than bug bounties and combined with an increased need for security we find that many proprietary softwares are outmatched.
Bug bounties are no panacea or substitute for strong security thinking across different product stages and departments. We had Spectre and Meltdown due to the industry shortcoming in this regard, not because we didn’t conduct enough bug bounties.
92 comments
[ 3.1 ms ] story [ 206 ms ] threadThe problem is how do you recognize a truly good CEO vs. a CEO that lowers costs and makes everybody happy.
Not necessary! Many CPU architectures and implementations were created by academic institutions, so nationalisation of this industry should be considered a possibility.
A lot of companies set a 4 year window for their CEOs. Funneling capital into research, displeases stock holders, as you show reduced earnings. Observe that markets care about steady earning growth; catching these things before they happen in general will not earn you points. That is a sad part of human psychology. Think as a metaphor that an average manager will ask how many bugs did this guy fix and not how many bugs and security issues did this guy caught or saved us from.
(See freaking Equifax -- https://www.marketwatch.com/investing/stock/efx -- they should have been out of business [my personal opinion]. Their stock price is fine. The only mistake of the CEO as far as SEC is concerned is he used inside information and sold.)
Infrastructure is normally patched and rebooted on a regular schedule, but when a bug like this hits and requires an off-cycle upgrade it's a big cost.
250k is a huge bug bounty. It's a step in the right direction.
At the same time it raises the stakes by begging the question for other cloud providers to fill in by asking "why isn't this higher?" So in that light, the number they've chosen may have served its purpose quite well, by encouraging others to think about what another massive 0-day CPU security flaw might cost them.
Also, I think the temptation to go black hat is a lot lower than if the choices were "nothing" vs "millions"
A check for helping out Microsoft is gonna be pretty clean.
Money you bring in from selling exploits might be something you don't want tracked back to its origin...
How likely is the less clean money going to get you in trouble I don't know, but the check from Microsoft surely will not.
> Yeah, clean money has some extra value.
So in the context of your original post, with your provided definition now of clean money, can you clarify how the alternatives (selling to law enforcement / government, which is the most common alternative) would be “unclean”?
As for selling to another gov or law enforcement, how clean that money is will be relative to what your government thinks of your role. If you sell to say an unfriendly neighbor government, they're going to look at those proceeds a bit differently than say if you sold to THEM.
Clean for me is your likely local legal issues with the money, and/or your actions.
In the end though provided Microsoft isn't considered a terrible enemy by your local government, that probabbly is the cleanest way to sell, and IMO probabbly the safest morally IMO (granted morally and clean money might not always go hand in hand).
Fixed price anything (job, bounty) means very different things to different people.
The world is a big place, and I think exploring security is fairly attractive to the weekend warrior programmer that might find other work hard to come by.
But it's really splitting hairs. I don't really get it either - just a guess.
Ten or twenty times more! But who are these people?! Where do I go to sell them??
https://tsyrklevich.net/2015/07/22/hacking-team-0day-market/
If you're ready to cross the bridge from "providing info to companies that will likely sell it to repressive governments and surveillance agencies" to "I don't care where this goes, I just want the money under any circumstance", my understanding is that you'll end up having to do a lot of finagling, networking, and negotiating to get the information to the people who want it. I couldn't tell you much about this myself, but having known people who did some small-time floating around in the field, opportunities of the under-the-table type are pretty transient.
The ultimate irony would be if your bank(s) got compromised by your but and some of your money was lost.
When I reward you for finding my wallet I don't give you the entire contents of it, even though I would have lost that much money.
I wonder what the rationale is for that narrow scope. Is it just that there aren't that many potential sources of side-channels?
If the last 10 years of VT-x implementations had a flaw that lets you extract data from other VMs that would be about as juicy as Meltdown.
https://eprint.iacr.org/2016/479.pdf
https://ts.data61.csiro.au/publications/csiro_full_text//Ge_...
They should broaden it to confidentiality or integrity breaches on CPU components that affect Windows-based products. That will cover more ground. Availability is important, too, but the other two are a nice start that won't break the bank with crashes or stalls. They might still pay for them but with less money.
It includes an implementation of the exploit in a few lines of javascript.
I’m sure I missed something. Could you help me out ?
It was a "fiasco" because it affected over 90% of all servers and laptops out there. And there was just no way to prepare enough of a response, while keeping it secret. For a few months, too few engineers knew about it for good mitigation development. Towards the end, as more people who needed to know were looped in, everyone could see it coming. The vulnerabilities, and mitigations, were just too big.
Imagine they know of a vulnerability but believe that it's not practical to exploit, or something. Then someone comes along and demonstrates that it actually is practical to exploit. They could say, well, we knew about this already and didn't believe it's practical, so we're not paying you for it.
It can sometimes be hard to convince a vendor that a vulnerability is "their fault" and this policy only increases the difficulty.
Because of the public?
If someone decides to try make a name for themselves by taking a shot at embarrassing MS/Intel/Linux/AMD/other which do you think will have more affect on public perception: intelligent, detailed discussion about practicalities and real world attack/defense profiles, or loud shouty "but what if" reporting carefully word to be as scary as possible?
When I worked at Mozilla on the MDN team, for example, there was a lot of inevitable spamming of "security" bugs which basically boiled down to "MDN is a publicly-editable wiki and hosts code samples" (MDN also goes to some trouble to do that safely). The current bug bounty exclusions are still pretty broad as far as I can tell, and thankfully will automatically throw out a bunch of the worst of the spam.
Same thing happens still with Django. I've considered writing up something with similar exclusions to Mozilla's policy just because it would save time dealing with meaningless reports (though Django would get a few categories the Mozilla policy doesn't, like "it's not a vulnerability if the only person you can CSRF is yourself").
It doesn't need to be a block-chain but I guess it would help create a tamper proof time ordered record.
Yes, that was obvious to people with some background in this class of attacks. Good on you for figuring that out independently (seriously!), but you're not going to get a bounty for something widely known.
- https://www.linkedin.com/pulse/bug-bounty-when-auctioning-of...