Should Microsoft start paying for vulnerabilities?

Hackers are starting to agitate for Microsoft to start paying for information on security flaws found in its software products.

The issue surfaced this week after the MSRC (Microsoft Security Response Team) posted a message on the sla.ckers.org message board, calling on third-party researchers to submit vulnerability information directly to Redmond before going public. 

The invitation -- which extended to bugs found in all of Microsoft online web properties such as *.microsoft.com, *.msn.com and *.live.com -- is part of Microsoft's insistence on the concept of "responsible disclosure," where researchers give advance notice to affected vendors but, for the first time, the response from hackers suggest it's time for Microsoft to offering cash rewards for flaw information.

Immediately after Microsoft's Sla.ckers.org post, "digi7al64" replied with this:

[I] propose MS implement a reward system where you agree to pay cash for vulnerabilities found within your domains. The benefit of this I suggest would be flood of vulnerabilities reported the first few months which would tapper off to only 1 or 2 intermittently as new systems come online.

The cost of this type of project would be relatively low and if you placed a sliding scale on amount paid (based on the vun) I'm sure you could get away with it for less then 20-50k all told... which in the big scheme of things is a drop in ocean for MS.

Information on software defects are considered extremely valuable -- vendors use it to improve the quality of products -- but the existing "responsible disclosure" system gives the information for free to software vendors, even those with deep pockets.

The existence of third-party brokers like Verisign's iDefense VCP and 3Com Tippingpoint's ZDI has validated the market for software flaws and given white hat hackers a place to make money for their work but there is a growing feeling that the big vendors -- especially Microsoft -- should set up a bug-bounty program that tangibly rewards external researchers.

Microsoft's official policy is that responsible disclosure works just fine and the credit given to bug finders in security bulletins is more than enough but a burgeoning black market and the spike in zero-day attacks provide proof that the status quo needs fixing.

Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, weighs in:

Now think about this… if given the option, how many of the organizations that have been outted would have gladly paid a voluntary reward for the disclosure and saved themselves the negative press? Probably a fair number would have participated. Also of course, if they choose not to participate, there’s nothing lost and things remain the same. Though if an organization budgeted say $10,000, which could help to eliminate a ton of XSS and SQL Injection issues. And at some point vulnerabilities would get much hard to find and system security would improve. Obviously a lot of details would have to be worked out to counteract any extortion or blackmail schemes. I’m not quite ready to begin recommending this approach, but I think it’s worth continuing a dialog over.

Chris Eng, director of security services at Veracode, urges caution, especially when it comes to auditing Web applications:

These posters either don’t realize or are conveniently ignoring the fact that it is illegal to stage unauthorized attacks against these websites to begin with. There are a lot of shady underground economies, but that doesn’t necessarily make them legal or ethical.