Including up to $100k for platform anti-exploitation bypasses; I think Microsoft might be unique in offering a huge bonus for core platform exploitation; they are really serious about the core approach of making the OS and C/C++ runtime hard to write reliable exploits for, which is an interesting approach.
Also interesting because Microsoft was once publicly opposed to programs like these:
I can't think of any. Just inertia on MSFT's part. This is just part of the overall trend of legitimizing vulnerability research, instead of trying to ostracize or (worse) legally threaten them.
There has been a change in the industry. Actually the change happened much earlier, Microsoft just couldn't remain in denial anymore and were often criticized for ingesting so much free research while giving nothing back.
Basically if you had a Microsoft vulnerability and you decided that you wanted to disclose it, you would just go through a broker (such as ZDI) who would deal with Microsoft, but also pay you. The other options were full disclosure, or selling it on the grey market.
There are major vendors who are far worse than Microsoft, such as Oracle and Adobe, but they are just so bad that nobody expects anything of them.
Money well spent by Microsoft, and something that will be of value to Microsoft's customers, who are usually treated as the least important people on the planet. Good for Microsoft.
>We’ve had several influential folks from the researcher community join our security teams as Microsoft employees
I can confirm they had a (semi?) official program to do this as far back as 2006, as I was actually doing penetration testing as a hobby in high school a couple years before this article was written. They flew myself and a few other researchers out for retreats, put us up in nice hotels, took us out to fancy dinners, offered us internships, sent me an ipod video for my birthday at a time when they were really pushing the Zune, and at one point they even organized a huge paintball retreat for myself and some of the employees. The whole thing really put a very human face on the "corporate" persona we had always associated with Microsoft.
I think their strategy was more focused on grooming researchers to become permanent employees (which a few of them did, including Skylined, the guy that developed the Heapspray technique [1], who I shared an office with - super nice guy) or at the very least building loyalty to encourage responsible disclosure. They were also very interested in hearing how us researchers could be persuaded to continue disclosing responsibly, as a few of us were known to wear hats that weren't always white.
>I think Microsoft might be unique in offering a huge bonus for core platform exploitation
I'm happy to see them taking such a progressive approach considering a single critical security flaw can rake in tens of thousands of dollars on the black market.
Large payments make sense. They can certainly afford them and they are probably still a good value even though it's a lot of money from an individual's perspective. It also makes it more likely that an amoral researcher will "sell" his exploit to Microsoft and not to cybercriminals.
How much does Microsoft get from the US government for those same vulnerabilities? More or less than what they pay the outside researchers? Are the "direct cash payments" tax-deductible? Is the government money taxable or not?
Now that we know Microsoft passes vulns along to the NSA, this looks a lot different.
Can you find a single professional vulnerability researcher --- many of whom are openly critical of Microsoft --- that agrees with this point of view? Or are you just trying to connect every pair of dots you can find?
Another thing to note: when you claim a bounty for a vulnerability from Microsoft, you can be pretty confident that the vulnerability will at some point be fixed. When you sell it to a government yourself, the opposite is true.
I don't see what's wrong with speculating about this. It seems to be a completely valid concern given the recent news that Microsoft has, in the past, shared 0-days with the NSA. It is not an outlandish conspiracy theory to think that, after being informed of a vulnerability, Microsoft could pass it on to intelligence agencies in advance of Patch Tuesday, giving them up to 2 weeks' time to make use of the exploits. "Past behavior is the best predictor of future behavior", and all that.
Microsoft passes information about vulnerabilities to all sorts of companies prior to Patch Tuesday, not just government agencies. That's not news; it only seems like news because the people paying attention to the NSA stories don't generally pay attention to how security patch management works.
NSA does not need Microsoft's help to break into Windows boxes.
What's wrong with speculating that the Microsoft Bug Bounty is an NSA-influenced plot to funnel zero-day to the government is that that's a stupid conspiracy theory. It's elaborate and complicated in ways that the NSA doesn't need to deal with. It also casts aspersions on the people at Microsoft --- who are actual people who you can actually talk to --- who worked very hard to make this program happen after Microsoft spent years being criticized for not doing this.
"Redmond, Washington-based Microsoft (MSFT) and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials"
From this and other assertions made in the Bloomberg piece, it seems very fair not to read this as conventional patch management, but as a special arrangement with intelligence agencies. And to read this as, yes, from time to time Microsoft's help does get the NSA into Windows boxes.
Now, we all know that tech reporting often leaves something to be desired. If you're saying the officials were wrong or quoted out of context, then that's fine. But it's not reasonable to dismiss this out of hand as some outlandish Alex Jonesian conspiracy theory.
BTW, obviously I'm not saying that Microsoft's bug bounty program is an NSA plot. It's a good program that every major company should have. I'm also not saying that they don't share bugs with other partners ahead of time, they obviously do. Just that from what the sources in this article (which again, did not originally appear on infowars.com) say, Microsoft does have a special arrangement with intelligence agencies and from time to time has shared bugs knowing they might be exploited by said agencies. The bug bounty program could find the sort of bugs that would (incidentally) be shared as part of this arrangement.
Researchers 14 years of age or older may submit bypasses and defense ideas to the program. If you are at least 14 years old but are considered a minor in your place of residence, you must ask your parent’s or legal guardian’s permission prior to participating in this program. Please see the program guidelines for full information on eligibility.
This is a funny illustration of the Cobra effect [1].
It's not obvious that people not writing the software can contribute to the problem, but I suppose this program will test the hypothesis. What I mean is that, in this Dilbert strip, the programmers get paid to fix bugs that they create, incenting the creation of bugs. Paying the townspeople to let the company know about bugs would not obviously (to me) lead to more bugs being created (except in contrived scenarios that involve collusion).
'Responsible disclosure' is probably one of the worst things to happen to the cyber-security industry, and the $100K carrot-on-a-stick is only going to make it worse.
Selling exploits to customers who don't intend on fixing the exploit (buying a hacker's silence) is exactly the nightmare that came to light regarding MS releasing exploit information to NSA prior to releasing publicly-available bugfixes, and these kinds of monetary incentives to the security community will only make things worse.
Where's a professional vulnerability researcher I can read making the same case? My feed is full of researchers saying how great this is, and how big an accomplishment it was that Katie Moussouris and her team managed to pull it off after Microsoft publicly declared itself opposed to bug bounties.
The work required to build reliable exploits against hardened Windows can take months. Why shouldn't researchers be compensated for that work? If you don't want to accept payment for it, that's fine; don't. But why is it bad for other people to do so?
I'm not arguing about compensation, I'm arguing about public safety. People and organizations selling exploits are effectively complicit in the damage resulting from their sales.
That's exactly my point, which is why it's dangerous. If the exploits were made public as soon as possible (full disclosure) then MS will have incentive to release bugfixes as soon as possible to the general public.
By taking the cash, I am sure you are bound by secrecy enforced by jail time. I see these increased payments as hush money to keep researchers quiet while they feed them to the NSA for zero day exploits.
Not to mention, the outsider is a complete unknown. Are they an upstanding white hat? Or are they the darkest of greys? You have no idea.
At least an internal employee is on your payroll, and has been screened with a background check. You don't get to screen which people get to discover vulnerabilities.
While that might decrease the total number of days in a year when there are unpatched exploits that MS knows about, it would increase the total number of days in a year when there are exploits known to hackers. I don't think that would make us safer.
Microsoft releases this exploit information to governments as a matter of policy, and the governments accordingly conduct clandestine operations and cyber-attacks using this exploit information.
MS is in the unique position of being the only ones able to fix the exploit so they are a single-point-of-failure, which diminishes the security of everybody using Windows operating systems.
No, Microsoft releases vulnerability information to the government along with private companies in the antivirus and intrusion prevention space. They do this because they have a coordinated patch schedule that creates windows of known vulnerability.
Microsoft does not have the in-house expertise to feed exploits to anyone.
> Microsoft does not have the in-house expertise to feed exploits to anyone.
I agree with you everywhere else in this thread, but you are clearly not up to speed on who works there if you believe that to be accurate. Some of the best exploit writers, who have pioneered new classes of techniques, work at Microsoft (because Microsoft went on a recruiting spree to target them).
I know who works there and believe my statement to be accurate; remember, we're talking about the total volume of all vulnerabilities discovered in Microsoft products.
If you are narrowing the scope of your claim to say that Microsoft doesn't have the expertise to write exploits for every version of every product affected by every vulnerability, ok, sure. That isn't what was suggested though, and isn't something any reasonable person would have implied.
Then again, the notion that Microsoft dedicates resources to serve as an outsourcing shop for NSA hackers to develop "cyber weapons" no longer has "reasonable person" anywhere on the horizon. That's not even worth entertaining, I just had to interject because I thought you were saying MS doesn't have good exploit writers ;)
I do think the MAPP equivalent for governments, probably as an unintended side effect, grants some advantage to parts of the .gov interested in attacking the products. How much, and whether or not they need it, is another story. But I agree that the NSA sure doesn't need their help - it's probably just a bit of free gravy if anything.
And in Microsoft's defense, it really wouldn't matter if they gave them to the NSA or not. The distribution list is very large, and the teams who ultimately receive that content are not vetted in any way.
Groups brokering exploits is definitely scary stuff. But the non-privatized government researchers have existed long before them and are better at keeping silent and therefore largely perpetual exploits.
Under it all, the current model remains a by obscurity model, where anyone with orders of more magnitude of resources can certainly do enough reverse engineering to find the weak links and break in without planting backdoors.
Vendors reaching the point where they can offer bounties without contemplating bankruptcy implies considerably more resources are going into secure by design software and will continue to flow if they plan to remain solvent and unembarrassed (equally emabarassed?)
I've been playing with a chromebook and I am delighted to see frivolous and even fairly significant features were dropped to develop a secure boot model with a reasonable opt out. I'm sure it will still be broken, but 5-10 years ago it would have been trivially breakable to meet some last minute corporate request for tftp booting, marketing demo, or what have you..
Similar to the drug market, you can not drop the open market and expect everything to stop. Instead you must capture as many resources as you can and direct them to the right goal. I would hope that goal is secure kernels that expand out towards today's features, since the opposite clearly does not work with the resources at hand.
Hmm, the 30 day window for IE11 attacks seems a bit small if they want someone to be able to do a solid job at developing an exploit. I mean it's doable of course, but for 11k working on that short of a timeframe might not be terribly attractive to some of the better folks in the industry.
Yeah, but people who can deliver this already make that much at a day job.
It's appears to be a lot better than their blue-hat prize, which was crowd-sourced spec work and they kept rights to all of the submissions, despite not paying for any beyond the top two or three.
66 comments
[ 1.9 ms ] story [ 130 ms ] threadAlso interesting because Microsoft was once publicly opposed to programs like these:
https://threatpost.com/microsoft-says-no-paying-bug-bounties...
Basically if you had a Microsoft vulnerability and you decided that you wanted to disclose it, you would just go through a broker (such as ZDI) who would deal with Microsoft, but also pay you. The other options were full disclosure, or selling it on the grey market.
There are major vendors who are far worse than Microsoft, such as Oracle and Adobe, but they are just so bad that nobody expects anything of them.
tl;dr Google has been making them look bad.
Money well spent by Microsoft, and something that will be of value to Microsoft's customers, who are usually treated as the least important people on the planet. Good for Microsoft.
I can confirm they had a (semi?) official program to do this as far back as 2006, as I was actually doing penetration testing as a hobby in high school a couple years before this article was written. They flew myself and a few other researchers out for retreats, put us up in nice hotels, took us out to fancy dinners, offered us internships, sent me an ipod video for my birthday at a time when they were really pushing the Zune, and at one point they even organized a huge paintball retreat for myself and some of the employees. The whole thing really put a very human face on the "corporate" persona we had always associated with Microsoft.
I think their strategy was more focused on grooming researchers to become permanent employees (which a few of them did, including Skylined, the guy that developed the Heapspray technique [1], who I shared an office with - super nice guy) or at the very least building loyalty to encourage responsible disclosure. They were also very interested in hearing how us researchers could be persuaded to continue disclosing responsibly, as a few of us were known to wear hats that weren't always white.
>I think Microsoft might be unique in offering a huge bonus for core platform exploitation
I'm happy to see them taking such a progressive approach considering a single critical security flaw can rake in tens of thousands of dollars on the black market.
[1] http://en.wikipedia.org/wiki/Heap_spraying
Now that we know Microsoft passes vulns along to the NSA, this looks a lot different.
Another thing to note: when you claim a bounty for a vulnerability from Microsoft, you can be pretty confident that the vulnerability will at some point be fixed. When you sell it to a government yourself, the opposite is true.
[edit]Link for reference, if anyone missed that particular news: http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-t... [/edit]
NSA does not need Microsoft's help to break into Windows boxes.
What's wrong with speculating that the Microsoft Bug Bounty is an NSA-influenced plot to funnel zero-day to the government is that that's a stupid conspiracy theory. It's elaborate and complicated in ways that the NSA doesn't need to deal with. It also casts aspersions on the people at Microsoft --- who are actual people who you can actually talk to --- who worked very hard to make this program happen after Microsoft spent years being criticized for not doing this.
From this and other assertions made in the Bloomberg piece, it seems very fair not to read this as conventional patch management, but as a special arrangement with intelligence agencies. And to read this as, yes, from time to time Microsoft's help does get the NSA into Windows boxes.
Now, we all know that tech reporting often leaves something to be desired. If you're saying the officials were wrong or quoted out of context, then that's fine. But it's not reasonable to dismiss this out of hand as some outlandish Alex Jonesian conspiracy theory.
BTW, obviously I'm not saying that Microsoft's bug bounty program is an NSA plot. It's a good program that every major company should have. I'm also not saying that they don't share bugs with other partners ahead of time, they obviously do. Just that from what the sources in this article (which again, did not originally appear on infowars.com) say, Microsoft does have a special arrangement with intelligence agencies and from time to time has shared bugs knowing they might be exploited by said agencies. The bug bounty program could find the sort of bugs that would (incidentally) be shared as part of this arrangement.
Is there an age limit for participants?
Researchers 14 years of age or older may submit bypasses and defense ideas to the program. If you are at least 14 years old but are considered a minor in your place of residence, you must ask your parent’s or legal guardian’s permission prior to participating in this program. Please see the program guidelines for full information on eligibility.
http://search.dilbert.com/comic/10%20Dollars%20Bug%20Fix
http://thedailywtf.com/Articles/The-Defect-Black-Market.aspx
It's not obvious that people not writing the software can contribute to the problem, but I suppose this program will test the hypothesis. What I mean is that, in this Dilbert strip, the programmers get paid to fix bugs that they create, incenting the creation of bugs. Paying the townspeople to let the company know about bugs would not obviously (to me) lead to more bugs being created (except in contrived scenarios that involve collusion).
1 = https://en.wikipedia.org/wiki/Cobra_effect
Searching for Dilbert bug bounty brought it up in the top results.
Selling exploits to customers who don't intend on fixing the exploit (buying a hacker's silence) is exactly the nightmare that came to light regarding MS releasing exploit information to NSA prior to releasing publicly-available bugfixes, and these kinds of monetary incentives to the security community will only make things worse.
Read more: https://www.eff.org/deeplinks/2012/03/zero-day-exploit-sales...
These exploits are effectively high-tech weaponry and they should be treated similarly.
The work required to build reliable exploits against hardened Windows can take months. Why shouldn't researchers be compensated for that work? If you don't want to accept payment for it, that's fine; don't. But why is it bad for other people to do so?
By default a naturally occurring exploit probably upon inspection looks less intentional then one put there on purpose.
. . . except for the outsider who mailed them about it and got paid a chunk of money as a result.
At least an internal employee is on your payroll, and has been screened with a background check. You don't get to screen which people get to discover vulnerabilities.
They would not know about the program which takes that exploit and then gives it to the NSA.
Nevertheless, I don't see how this is a bad thing.
MS is in the unique position of being the only ones able to fix the exploit so they are a single-point-of-failure, which diminishes the security of everybody using Windows operating systems.
Microsoft does not have the in-house expertise to feed exploits to anyone.
I agree with you everywhere else in this thread, but you are clearly not up to speed on who works there if you believe that to be accurate. Some of the best exploit writers, who have pioneered new classes of techniques, work at Microsoft (because Microsoft went on a recruiting spree to target them).
Then again, the notion that Microsoft dedicates resources to serve as an outsourcing shop for NSA hackers to develop "cyber weapons" no longer has "reasonable person" anywhere on the horizon. That's not even worth entertaining, I just had to interject because I thought you were saying MS doesn't have good exploit writers ;)
I do think the MAPP equivalent for governments, probably as an unintended side effect, grants some advantage to parts of the .gov interested in attacking the products. How much, and whether or not they need it, is another story. But I agree that the NSA sure doesn't need their help - it's probably just a bit of free gravy if anything.
And in Microsoft's defense, it really wouldn't matter if they gave them to the NSA or not. The distribution list is very large, and the teams who ultimately receive that content are not vetted in any way.
(I made that number up.)
> The work required to build reliable exploits against hardened Windows can take months.
Under it all, the current model remains a by obscurity model, where anyone with orders of more magnitude of resources can certainly do enough reverse engineering to find the weak links and break in without planting backdoors.
Vendors reaching the point where they can offer bounties without contemplating bankruptcy implies considerably more resources are going into secure by design software and will continue to flow if they plan to remain solvent and unembarrassed (equally emabarassed?)
I've been playing with a chromebook and I am delighted to see frivolous and even fairly significant features were dropped to develop a secure boot model with a reasonable opt out. I'm sure it will still be broken, but 5-10 years ago it would have been trivially breakable to meet some last minute corporate request for tftp booting, marketing demo, or what have you..
Similar to the drug market, you can not drop the open market and expect everything to stop. Instead you must capture as many resources as you can and direct them to the right goal. I would hope that goal is secure kernels that expand out towards today's features, since the opposite clearly does not work with the resources at hand.
This would make things fair.
If he is smart enough to hire cheapo programmers and suppress creativity and initiative, he has to pay for his technical debt to clean the mess up.
In all seriousness, any package as complex as Windows and Office is bound to have bugs, many, many bugs.
It's appears to be a lot better than their blue-hat prize, which was crowd-sourced spec work and they kept rights to all of the submissions, despite not paying for any beyond the top two or three.