Punditry: Will Microsoft buy flaws?

Punditry: Will Microsoft buy flaws?

Summary: Last week, I wrote about hackers starting to agitate for Microsoft (and other software vendors) to start paying for information on security vulnerabilities. As a follow-up to that post, I pinged a few security research pros, asking whether they agreed it's inevitable will start buying bugs.

SHARE:
TOPICS: Microsoft, Security
7

Last week, I wrote about hackers starting to agitate for Microsoft (and other software vendors) to start paying for information on security vulnerabilities. As a follow-up to that post, I pinged a few security research pros, asking whether they agreed it's inevitable will start buying bugs.  The responses: 

Dan Geer, VP and Chief Scientist, Verdasys

Who's to say they aren't don't do it already?  It's a fine line between deciding to buy vulns and paying protection, and if this really has become a game where the best business deal wins, then Microsoft could, if it chose, embrace the extortionists and buy them out.  
Dan Geer
In every sense, they tried that a while ago by hiring every security boutique in the country under the world's most hostile, onerous contract
terms (ask me how I know), terms that ensured every single slugger on the boutique's lineup could never announce a vuln again.

As that didn't work -- thus proving to Redmond that it wasn't the security boutiques that were the source of the exploits that mattered -- they need a new strategy, one that does not depend on using the niceties of Stateside contract law to throw their weight around.  As money talks and bullshit walks, their only option is to outbid the black market.  

This, of course, is hard to do.  If the U.S. really wants to get Bolivian farmers to stop growing coca, then we'll have to make growing lettuce in the Continental U.S. illegal (thus pricing up something you can grow in Bolivia's thin air and chill temps), or we'll have to outbid the Cali cartel for the crop in full.  Ditto Redmond; MSFT can't keep the exploit writers from doing what they do except by making them an offer they can't refuse.  

With $5B in underutilized cash laying around, it is almost criminal that MSFT hasn't just cornered the market.  Of course, the longer they wait the more the price to buy out the opposition rises and, in fact, that $5B may no longer be enough though there's no doubt a creative pricing structure would have real effects, such as to pay informants 2X what they pay code jocks. 

If I'd been the judge in the monopoly trial, I'd given them the choice between backing out of 50% of their market or betting their entire free cash pool on ending the monoculture risk that their monopoly is and always will be.  "You can have it all, but it's all your fault, or not.

Dave Aitel, researcher/CTO, Immunity

Vulnerability information is worth money. That was the key driver behind Immunity's Vulnerability Sharing Club, which opened the market for 0day bugs in 2002.Dave Aitel

While this doesn't make it inevitable that Microsoft will start directly paying for vulnerability information (and I have no reason to believe they are not already), it does make it the cheapest and most cost effective option for them. Hiring consultants is expensive and has a variable payoff. Buying vulnerabilities, while not cheap, is a sure thing.

Perhaps the question should be turned on its head: if Microsoft was buying, would most hackers sell to them?

Here's another question:  Does Microsoft give money to TippingPoint/iDefense? I think the answer would be interesting.

Dave Goldsmith, President, Matasano Security

I don't think Microsoft will start buying vulnerabilities in the near term.  If they did, it would accelerate the blossoming vulnerability marketplace (e.g. iDefense, Zero Day Initiative).   They would validate a somewhat controversial business model that threatens to have Microsoft pay for vulnerability information that they currently receive for free.

Could this change?  Sure, when the majority of vulnerabilities are only available for sale and/or when vulnerability markets are well established.  Otherwise, they are just expanding an industry that doesn't help them or their customers.

Halvar Flake, CEO and Head of Research, Sabre Security

I really do not know if Microsoft will start paying for vulnerabilities. They've been quite adamant in the past about 'not being blackmailed', so I would be surprised if I see them change opinion.Halvar Flake

On the other hand, submitting a bug to a vendor is usually a huge hassle for the vulnerability researcher, and giving a financial incentive to work with the vendor (and incur loss of time/productivity) might work well.

Also, if MS starts paying for their bugs, it might be actually 'good' overall: Beforehand, the researcher had the choice between giving the bugs to people with questionable objectives in return for money, or giving bugs to people with the right objectives but getting nothing in return.

If MS started paying for bugs, the researchers would have the choice of doing what's "right" and still benefit from it.

RSnake, hacker/consultant, ha.ckers.org

Honestly, I really doubt that will happen, given the conversations I have had with Microsoft to date thus far. This is a snippet from one email I have from them:

"We understand that some finders want to be valued for their research and although Microsoft does not engage in buying vulns, there are several brokers that are reputable organizations. For folks that are interested in selling their work, we recommend submitting the vulns to companies like Tipping Point or others who buy vulnerabilities."

They are recommending the brokers, who in turn, give the bugs to Microsoft for free.  They also get bugs (for free) from guys like me who help them broker certain deals with guys who are afraid to talk directly to Microsoft.

HD Moore, founder, Metasploit

Disagree. I believe that if a vendor were to start buying vulnerabilities in their own product, they would be setting themselves up for blackmail.

Microsoft has it great now -- they receive bug reports for free, even if he company submitting them had to pay someone else for the research. If they decided to compete with iDefense or ZDI for their own vulnerabilities, the bidding war could financially destroy all three programs (MSFT, iDefense, ZDI). If ZDI purchases a bug from a researcher, what prevents them from reselling the same bug to Microsoft?

Topics: Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • Punditry: Will Microsoft buy flaws?

    Microsoft can and should do everything within its means to protect customers.

    The option to pay researchers should be available to Microsoft management. As well as other tools such as lying to researchers, stringing them along, threatening them with appropriate legal action, crediting and praising them, discrediting and making laughing stocks of them, meeting with them, taking them to lunch dinner and a movie, offering them membership in a secret security society and/or charging a membership fee to join that secret security society, prosecuting them or having them arrested, or hiring them.

    Many security researchers *and* OSS developers BTW, won't travel to the US or even publicly disclose flaws in commercial software. We have Cisco's treatment of Mike Lynn and Adobe's of Dymtry Skylarov as good examples of why this is the case. Not too far from the realm of possibility is the fear of having one's self whisked off to Guantanamo Bay for presenting the wrong flaw in the wrong way.

    Malicious hackers seem to be keeping vulnerabilities private, only sharing them amongst like-minded hackers. The recent proliferation of 0-day vulnerabilities seems to bear that out. It seems malicious hackers are not releasing vulnerability information to any above board entity. It’s a purely academic leap of logic to faith that those similar groups would release details to Microsoft at any price.
    snickersneak
    • Well Hell

      The above is double posted due to the first post receiving

      The proxy server received an invalid response from an upstream server.
      The proxy server could not handle the request href= /5208-12691-0-1.html GET /5208-12691-0-1.html
      Reason: Error reading from remote server
      Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

      It won't happen again. I've unsubbed from the Zero-day RSS feed and cancelled my ZDNet account as punishment.
      snickersneak
  • Microsoft can't buy flaws that aren't for sale

    Microsoft can and should do everything within its means to protect customers.

    The option to pay researchers should be available to Microsoft management. As well as other tools such as lying to researchers, stringing them along, threatening them with appropriate legal action, crediting and praising them, discrediting and making laughing stocks of them, meeting with them, taking them to lunch dinner and a movie, offering them membership in a secret security society and/or charging a membership fee to join that secret security society, prosecuting them or having them arrested, or hiring them.

    Many security researchers *and* OSS developers BTW, won't travel to the US or even publicly disclose flaws in commercial software. We have Cisco's treatment of Mike Lynn and Adobe's of Dymtry Skylarov as good examples of why this is the case. Not too far from the realm of possibility is the fear of having one's self whisked off to Guantanamo Bay for presenting the wrong flaw in the wrong way.

    Malicious hackers seem to be keeping vulnerabilities private, only sharing them amongst like-minded hackers. The recent proliferation of 0-day vulnerabilities seems to bear that out. It seems malicious hackers are not releasing vulnerability information to any above board entity. It’s a purely academic leap of logic to faith that those similar groups would release details to Microsoft at any price.
    snickersneak
  • I like Dan Geer's attitude...

    But then I still can't believe no Microsoft execs went to jail over the ActiveX/Internet Explorer virus debacle.
    Resuna
  • Intellectual property

    It would be a fairly cold day in hell when MS would make an open deal for learning of vulns. It would only send the "wrong" messages: payment for previously free stuff, non-litigious dealing with corporate enemies, acknowledgment of value and of property rights in vulns, and acknowledgment that vulns in MS products exist.

    These are all issues that imply that MS "intellectual property" is somewhat flawed or dependent for value upon non-MS entities.

    The concept of sanctity of intellectual property is so intrinsic to MS's view of itself that any attack upon the notion of sanctity will be dealt with in the same ways that the Church dealt with heresy, never with compromise.
    David Cowell
  • I asked them over a year ago...

    I was able to sit in on a meeting between the #3 security guys for microsoft and federal pundits. I had one single question for him, which I asked in front of everyone. I asked, "Would microsoft every pay for 0day exploits?". Regardless of dancing around this simple question, he did mention they had tried it once. But he made it sound like more of a "sting operation" then anything...

    If terrorists would pay for 0day's, why shouldn't microsoft? Did they run out of money?? Or are the afraid of what would happen if they set precedence like that..
    nynetsec
  • MICROSOFT HAS A PROBLEM THE INTELLECT CAN NOT SOLVE

    Is the writing of an operating system so impossible that no matter what is done it ends up flawed?
    BALTHOR