Microsoft: No plans to pay for security vulnerabilities

Microsoft: No plans to pay for security vulnerabilities

Summary: A Microsoft security official dismissed any suggestion that the company would start buying rights to security flaws, arguing that its current system of crediting hackers in security bulletins is working very well.

SHARE:
TOPICS: Security, Microsoft
35

Mozilla and Google may be increasing the bounties to security researchers who find security holes in their software products but don't expect Microsoft to join the pay-for-flaws party.

According to Threatpost's Dennis Fisher, a Microsoft security official dismissed any suggestion that the company would start buying rights to security flaws, arguing that its current system of crediting hackers in security bulletins is working very well.

Here's what Microsoft's Jerry Bryant told Fisher:follow Ryan Naraine on twitter

"We value the researcher ecosystem, and show that in a variety of ways, but we don’t think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren’t always financial. It is well-known that we acknowledge researcher’s contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update."

"While we do not provide a monetary reward on a per-bug basis, like any other industry, we do recognize and honor talent. We’ve had several influential folks from the researcher community join our security teams as Microsoft employees. We’ve also entered into contracts directly with many vendors and sometimes individual researchers to test our products for vulnerabilities before they’re released. Many of these vendors and individuals first came to our attention based on the high-quality and unique approaches demonstrated by the vulnerabilities they reported to the MSRC."

GOOGLE'S 60-DAY DEADLINE

Microsoft's stance comes on the heels of increased discussion around vulnerability disclosure.  For starters, a team of Google researchers is pushing software vendors to ship security patches within 60 days.

Whilst every bug is unique, we would suggest that 60 days is a reasonable upper bound for a genuinely critical issue in widely deployed software. This time scale is only meant to apply to critical issues.

This stance by Google is in effect an endorsement of the move by its own Tavis Ormandy to release details of a Windows zero-day bug after claiming Microsoft declined to commit to fixing the issue in 60 days.  Microsoft denies it failed to commit to a deadline because it was still investigating the issue.

[ Googler releases Windows zero-day exploit, Microsoft unimpressed ]

Following Google's blog post that outlines its stance on disclosure, Microsoft followed suit and announced a shift in its approach to disclosure.  The company said it will embrace the concept of Coordinated Vulnerability Disclosure (CVD) which, in some cases, will allow the release of information ahead of a patch if attacks are underway.

Microsoft's Katie Moussouris explains:

Responsible Disclosure should be deprecated in favor of something focused on getting the job done, which is to improve security and to protect users and systems. As such, Microsoft is asking researchers to work with us under Coordinated Vulnerability Disclosure, and added some coordinated public disclosure possibilities before a vendor-supplied patch is available when active attacks are underway. It uses the trigger of attacks in the wild to switch modes, which is an event that is objectively observable by many independent sources.

Make no mistake about it, CVD is basically founded on the initial premise of Responsible Disclosure, but with a coordinated public disclosure strategy if attacks begin in the wild. That said, what’s critical in the reframing is the heightened role coordination and shared responsibility play in the nature and accepted practice of vulnerability disclosure. This is imperative to understand amidst a changing threat landscape, where we all accept that no longer can one individual, company or technology solve the online crime challenge.

Microsoft is expected to discuss this philosophical shift with researchers at this year's Black Hat security conference.

Topics: Security, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

35 comments
Log in or register to join the discussion
  • Seeing how Microsoft is doing better than the average

    and better than almost all 3rd party software both in respect to number of vulnerabilities found (fewer) and patching time, I can understand that position.

    MS platforms and software are still subject to be scrutinized, bounty or not. Other vendors may fear what will happen once their platform receives the same level of attention. And to act before the disaster, paying per bug may make sense.

    But in MS case they would merely be competing with the black hats, increasing the price "security researchers" can demand on the black/gray market.
    honeymonster
    • RE: Microsoft: No plans to pay for security vulnerabilities

      @honeymonster Did you realize such professionals could compose custom papers of very high quality. Thus, you had to <a href="http://www.customessayhelp.com/essay-help.html">buy essay</a> to be successful.<a href="http://www.customessayhelp.com/essay-writing-help.html ">essay writing help</a>
      jamesaustinwarn
      • RE: Microsoft: No plans to pay for security vulnerabilities

        @jamesaustinwarn then you fall out of favor with them! I simple can't dislike a person, just because someone else does, I just can't.<a href="http://www.adisonhighschool.com/">High School Diploma</a>
        disturbforce
      • RE: Microsoft: No plans to pay for security vulnerabilities

        MS platforms and software are still subject to be scrutinized, <a href="http://www.customwritinghelp.co.uk/types/essaywriting.php">buy essay</a> bounty or not. Other vendors may fear what will happen once their platform <a href="http://www.customdissertationwritinghelp.co.uk/">dissertation writing</a> receives the same level of attention. And to act before the disaster, paying per bug may make sense.
        adamjones342
      • RE: Microsoft: No plans to pay for security vulnerabilities

        This is such a great thing to know "???While we do not provide a monetary reward on a per-bug basis, like any other industry, we do recognize and honor talent. We???ve had several influential folks from the researcher community join our security teams as Microsoft employees. We???ve also entered into contracts directly with many vendors and sometimes individual researchers to test our products for vulnerabilities before they???re released" thanks a lot for sharing...

        <a href="http://www.rentalprotectionagency.com/tenant-screening.php">Background Check Rental</a>
        apollosan
  • RE: Microsoft: No plans to pay for security vulnerabilities

    Its funny because a few years back Microsoft did the whole bounty thing and was criticized harshley for it. Now Mozilla and Google are doing it and its suddenly cool.
    Loverock Davidson
    • RE: Microsoft: No plans to pay for security vulnerabilities

      @Loverock Davidson

      please supply references to support this
      erik.soderquist
      • RE: Microsoft: No plans to pay for security vulnerabilities

        @erik.soderquist Thanks for sharing. i really appreciate it that you shared with us such a informative post..
        <a href="http://www.papermoz.com/theses/">Thesis</a> <a href="http://www.papermoz.com/dissertations/">Dissertation</a> <a href="http://www.papermoz.com/admission-essay/">Admission Essay</a>
        disturbforce
      • RE: Microsoft: No plans to pay for security vulnerabilities

        @erik.soderquist I will forward this article to him. Pretty sure he will have a good read. Thanks for sharing!
        <a href="http://www.papermoz.co.uk/essays/">Essay</a> <a href="http://www.papermoz.co.uk/assignments/">Assignments</a>
        disturbforce
    • RE: Microsoft: No plans to pay for security vulnerabilities

      Responsible Disclosure should be deprecated in favor of something focused on getting the job done, which is to improve security and to protect users and systems.
      <a href="http://www.realsofttech.com">realsoft technologies</a>
      rocky110
  • RE: Microsoft: No plans to pay for security vulnerabilities

    I would add something witty like "MicroSoft doesn't pay, its customers do" but I'm not the sort of guy that makes such remarks.
    zdnetaaaaaaaaa15
    • I agree ..M$ gets away scott free and the customers pay through the nose

      @zdnet@... <br><br>No need to add anything more to that ........ Apple rules
      Over and Out
      • Wait!

        @SoYouSaid Apple pays people to find vulnerabilities in their software?
        statuskwo5
    • RE: Microsoft: No plans to pay for security vulnerabilities

      @zdnet@... I'm the same way, I do my best to remain neutral. It's hard, if you communicate with the person the other person dislikes, then you fall out of favor with them! I simple can't dislike a person, just because someone else does, I just can't.
      <a href="http://internationalaccreditationjournal.com/tag/iao/">IAO</a> <a href="http://viims.com/news.php?ID=14">IAO Accreditation</a> <a href="http://aboutiao.com/online-education-standards/an-in-depth-view-of-the-iao-accreditation-system/">International Accreditation Organization</a>
      nestdrive
    • RE: Microsoft: No plans to pay for security vulnerabilities

      @zdnet@... The difference between the right word and the almost right <a href="http://www.youtube.com/user/nationhighschool">nation high school</a> word is really a large matter ??? it's the <a href="http://www.123degreereviews.com/?p=32">online education</a> difference between a lightning bug and the lightning.
      nestdrive
  • Consumer Product Safety Commission for OS anyone?

    These are the kind of self serving irresposible stands by industry leaders that force the government to take action when the general public good is affected.
    Kinda like waving a red flag in front of a bull while forgetting there is no fence to keep it from you!
    DUMB, DUMB, AND DUMBER!
    kd5auq
    • RE: Microsoft: No plans to pay for security vulnerabilities

      @kd5auq

      If by "action" you mean create a dozen new committees that use billions of dollars to determine that we need to do something someday, but never actually do that thing, you'd be absolutely right.

      Frankly, the industry's irresponsibility is 1000x more responsible than the government's responsibility.
      CobraA1
  • The top reasons:

    <ol><li> There is a big chance it will go bankrupt by paying a decent bounty (not just pennies as before).</li><li>With the bounty comes the responsibility to FIX the vulnerabilities ... adding to the cost of the bounty.</li><li>To minimize payments, MS will be forced to disclose vulnerabilities they knew for years, but didn't fix ... opening the door for possible legal repercussions and the loss of new contracts.</li></ol>
    wackoae
    • RE: Microsoft: No plans to pay for security vulnerabilities

      @wackoae : Who's going bankrupt? Microsoft? Get real. Chances of Microsoft going bankrupt is like Steve Jobs admitting there is a real problem with the iPhone 4 antenna issue. Very, very, very unlikely.
      Gis Bun
      • Hahaha!

        @Gis Bun That was funny.
        statuskwo5