Last week, I wrote about hackers starting to agitate for Microsoft (and other software vendors) to start paying for information on security vulnerabilities. As a follow-up to that post, I pinged a few security research pros, asking whether they agreed it's inevitable will start buying bugs. The responses:
Dan Geer, VP and Chief Scientist, Verdasys
Who's to say they aren't don't do it already? It's a fine line between deciding to buy vulns and paying protection, and if this really has become a game where the best business deal wins, then Microsoft could, if it chose, embrace the extortionists and buy them out.
In every sense, they tried that a while ago by hiring every security boutique in the country under the world's most hostile, onerous contract
terms (ask me how I know), terms that ensured every single slugger on the boutique's lineup could never announce a vuln again.
As that didn't work -- thus proving to Redmond that it wasn't the security boutiques that were the source of the exploits that mattered -- they need a new strategy, one that does not depend on using the niceties of Stateside contract law to throw their weight around. As money talks and bullshit walks, their only option is to outbid the black market.
This, of course, is hard to do. If the U.S. really wants to get Bolivian farmers to stop growing coca, then we'll have to make growing lettuce in the Continental U.S. illegal (thus pricing up something you can grow in Bolivia's thin air and chill temps), or we'll have to outbid the Cali cartel for the crop in full. Ditto Redmond; MSFT can't keep the exploit writers from doing what they do except by making them an offer they can't refuse.
With $5B in underutilized cash laying around, it is almost criminal that MSFT hasn't just cornered the market. Of course, the longer they wait the more the price to buy out the opposition rises and, in fact, that $5B may no longer be enough though there's no doubt a creative pricing structure would have real effects, such as to pay informants 2X what they pay code jocks.
If I'd been the judge in the monopoly trial, I'd given them the choice between backing out of 50% of their market or betting their entire free cash pool on ending the monoculture risk that their monopoly is and always will be. "You can have it all, but it's all your fault, or not.
Dave Aitel, researcher/CTO, Immunity
Vulnerability information is worth money. That was the key driver behind Immunity's Vulnerability Sharing Club, which opened the market for 0day bugs in 2002.
While this doesn't make it inevitable that Microsoft will start directly paying for vulnerability information (and I have no reason to believe they are not already), it does make it the cheapest and most cost effective option for them. Hiring consultants is expensive and has a variable payoff. Buying vulnerabilities, while not cheap, is a sure thing.
Perhaps the question should be turned on its head: if Microsoft was buying, would most hackers sell to them?
Here's another question: Does Microsoft give money to TippingPoint/iDefense? I think the answer would be interesting.
Dave Goldsmith, President, Matasano Security
I don't think Microsoft will start buying vulnerabilities in the near term. If they did, it would accelerate the blossoming vulnerability marketplace (e.g. iDefense, Zero Day Initiative). They would validate a somewhat controversial business model that threatens to have Microsoft pay for vulnerability information that they currently receive for free.
Could this change? Sure, when the majority of vulnerabilities are only available for sale and/or when vulnerability markets are well established. Otherwise, they are just expanding an industry that doesn't help them or their customers.
Halvar Flake, CEO and Head of Research, Sabre Security
I really do not know if Microsoft will start paying for vulnerabilities. They've been quite adamant in the past about 'not being blackmailed', so I would be surprised if I see them change opinion.
On the other hand, submitting a bug to a vendor is usually a huge hassle for the vulnerability researcher, and giving a financial incentive to work with the vendor (and incur loss of time/productivity) might work well.
Also, if MS starts paying for their bugs, it might be actually 'good' overall: Beforehand, the researcher had the choice between giving the bugs to people with questionable objectives in return for money, or giving bugs to people with the right objectives but getting nothing in return.
If MS started paying for bugs, the researchers would have the choice of doing what's "right" and still benefit from it.
RSnake, hacker/consultant, ha.ckers.org
Honestly, I really doubt that will happen, given the conversations I have had with Microsoft to date thus far. This is a snippet from one email I have from them:
"We understand that some finders want to be valued for their research and although Microsoft does not engage in buying vulns, there are several brokers that are reputable organizations. For folks that are interested in selling their work, we recommend submitting the vulns to companies like Tipping Point or others who buy vulnerabilities."
They are recommending the brokers, who in turn, give the bugs to Microsoft for free. They also get bugs (for free) from guys like me who help them broker certain deals with guys who are afraid to talk directly to Microsoft.
HD Moore, founder, Metasploit
Disagree. I believe that if a vendor were to start buying vulnerabilities in their own product, they would be setting themselves up for blackmail.
Microsoft has it great now -- they receive bug reports for free, even if he company submitting them had to pay someone else for the research. If they decided to compete with iDefense or ZDI for their own vulnerabilities, the bidding war could financially destroy all three programs (MSFT, iDefense, ZDI). If ZDI purchases a bug from a researcher, what prevents them from reselling the same bug to Microsoft?