Should Microsoft start paying for vulnerabilities?

Should Microsoft start paying for vulnerabilities?

Summary: Hackers are starting to agitate for Microsoft to start paying for information on security flaws found in its software products.The issue surfaced this week after the MSRC (Microsoft Security Response Team) posted a message on the sla.

SHARE:
98

Hackers are starting to agitate for Microsoft to start paying for information on security flaws found in its software products.

The issue surfaced this week after the MSRC (Microsoft Security Response Team) posted a message on the sla.ckers.org message board, calling on third-party researchers to submit vulnerability information directly to Redmond before going public. Microsoft's Sla.ckers forum post

The invitation -- which extended to bugs found in all of Microsoft online web properties such as *.microsoft.com, *.msn.com and *.live.com -- is part of Microsoft's insistence on the concept of "responsible disclosure," where researchers give advance notice to affected vendors but, for the first time, the response from hackers suggest it's time for Microsoft to offering cash rewards for flaw information.

Immediately after Microsoft's Sla.ckers.org post, "digi7al64" replied with this:

[I] propose MS implement a reward system where you agree to pay cash for vulnerabilities found within your domains. The benefit of this I suggest would be flood of vulnerabilities reported the first few months which would tapper off to only 1 or 2 intermittently as new systems come online.

The cost of this type of project would be relatively low and if you placed a sliding scale on amount paid (based on the vun) I'm sure you could get away with it for less then 20-50k all told... which in the big scheme of things is a drop in ocean for MS.

Information on software defects are considered extremely valuable -- vendors use it to improve the quality of products -- but the existing "responsible disclosure" system gives the information for free to software vendors, even those with deep pockets.

The existence of third-party brokers like Verisign's iDefense VCP and 3Com Tippingpoint's ZDI has validated the market for software flaws and given white hat hackers a place to make money for their work but there is a growing feeling that the big vendors -- especially Microsoft -- should set up a bug-bounty program that tangibly rewards external researchers.

Microsoft's official policy is that responsible disclosure works just fine and the credit given to bug finders in security bulletins is more than enough but a burgeoning black market and the spike in zero-day attacks provide proof that the status quo needs fixing.

Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, weighs in:

Now think about this… if given the option, how many of the organizations that have been outted would have gladly paid a voluntary reward for the disclosure and saved themselves the negative press? Probably a fair number would have participated. Also of course, if they choose not to participate, there’s nothing lost and things remain the same. Though if an organization budgeted say $10,000, which could help to eliminate a ton of XSS and SQL Injection issues. And at some point vulnerabilities would get much hard to find and system security would improve. Obviously a lot of details would have to be worked out to counteract any extortion or blackmail schemes. I’m not quite ready to begin recommending this approach, but I think it’s worth continuing a dialog over.

Chris Eng, director of security services at Veracode, urges caution, especially when it comes to auditing Web applications:

These posters either don’t realize or are conveniently ignoring the fact that it is illegal to stage unauthorized attacks against these websites to begin with. There are a lot of shady underground economies, but that doesn’t necessarily make them legal or ethical.

Topics: Security, Microsoft, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

98 comments
Log in or register to join the discussion
  • Yes they should if there is damage done...

    after all car manufactures have to pony up for damages due to their incompetence, what makes software so special!?
    ]:)
    Linux User 147560
    • Interesting

      I have no love for MS, but who pays when someone gets 'damaged' from a Linux distribution? I think it's more fair to say that MS should pay for vulnerabilities if they charge for the fixes.
      Taz_z
      • Depends on tthe payment model

        If someone purchases software, then they have a right to expect it to perform as specified. And for an contemporary operating system, that means it should be secure and reliable. Nothing is perfect, but some of these vulnerabilities are the result of carelessness or arrogance.

        I'm well aware that most EULAs let the software vendor off the hook, even if they know there is a problem. I consider that illegal and if it isn't technically, it should be. That companies get away with using them is just wrong. Especially since you usually can't read them until you buy the the software and even then, a law degree probably wouldn't help you understand them fully. That they continue to be allowed to use them so is just one more measure of how our government is owned by the ones with the money. If they're not being compensated for the program, fine ? let the user beware. But once they charge for it, the obligation changes. So MSFT should have to pay for it and so should companies that sell Linux distros with support included.

        Charging for the fixes? To correct problems usually caused by their negligence? You mean like they do now, by selling new versions of Windows that don't meet the security and stability criteria that they claimed the earlier ones would meet? By that standard, MSFT should have been paying for the costs of vulnerabilities for years.
        mds_z
        • I agree

          I agree with you assesment on this.
          Clayman1000x
    • Not the way it's sold.

      They sell their software with an End User License Agreement (just like Linux).

      You can agree to the terms and live by them or not, that is your choice. (Just like Linux)
      No_Ax_to_Grind
      • Then Government Should Change The EULA

        I'd certainly support OS manufacturers being held liable for damages from vulnerabilities in their software..and don't compare this to Linux, Linux is free, Windows is not...if you pay for something you should have a guarantee that it's going to protect you, not after a service pack.
        itanalyst
        • So who pays when I purchase it from Red Hat

          [/i]I'd certainly support OS manufacturers being held liable for damages from vulnerabilities in their software[/i]

          I would have to say that Microsoft can easily get out of paying for any damages if all they do is to change the EULA to something reflecting:

          [i]Free copy of Microsoft Windows with the 299.99 purchase of Windows support services[/i]
          GuidingLight
          • Nice Try

            but the Linux distributions are available for free download without support agreement.

            Microsoft would have to do the same thing.

            Do you plan on holding your breath until Microsoft makes Vista available for FREE DOWNLOAD?
            Update victim
          • What does free have to do with it?

            If I eat a free sample of food that turns out to be undercooked and sickens me, I can't sue the company that gave it out to me as it was free?

            Maybe it's time for Linux distros to backup what they offer? If they're going to recomend their version, they should be forced to pay if it screws up my system.

            TalkBack: Reply to message
            Thank you for participating in the ZDNet Community. Please don't post advertisements, profanity or personal attacks. Offending messages will be removed. Click here to review our Terms of Use.

            Read the article: Should Microsoft start paying for vulnerabilities?
            TalkBack 7 of 46: Previous Nice Try

            [i]but the Linux distributions are available for free download without support agreement.

            Microsoft would have to do the same thing[/i]

            They already do the exact same thing that you claim Linux does in their agreement. It states that MS is not responsible, just like Linux does. Doesn't matter if you pay or not, you accept the agreement, you have no claim.
            John Zern
          • Oops, a little too much cut and paste?

            nt :)
            John Zern
          • But if your read down below

            I am reminded twice, once by "Mad Mac", that it's free as in freedom not free as in beer. <br>
            SO WHICH IS IT????????
            <br>
            Sorry for shouting. It's too frustrating to figure out the licensing. From what I see, anyone can take free downloads, modify them to their hearts content and never share their new source, which doesn't see "free" to me? Only for the company using it. Then they can offer a long line of Software services on their modified Linux, and I guess since it's not TEchnically distributed by physical media???, that is legal under the licensing? Or they can ignore the licensing and that's cool too? I don't get it. Maybe what it's become, over time, is that what was once strictly this: You use it for free, but if you modify it, you HAVE to share it back into the community, and that has morphed into "hell with it", the more copies of linux we can get running on any machines, closed source or not, the better. <br>
            To the best of my knowledge it's always been a quid pro quo arrangement. Use for free but you must share all source changes back into community property.
            xuniL_z
        • One of software's biggest myths

          "Linux is free" <br>
          WRONG. <br>
          If a company were to start distributing Linux for free into the market with the intent of gaining marketshare, they are breaking U.S. law. Simple as that. It may not be enforced due to law at that level is political. <br>
          But I think it's safe to say that any Linux distros being used by legit U.S. companies anyway, are being purchased through vendors based on service agreements etc., making the software FAR from free. I guess i depends on whether you feel one price up front is more than ongoing support month after month for years.
          <br>
          thanks.
          xuniL_z
          • Daniel Wallace already proved that wrong.

            Twice, actually. US Courts have ruled that it is not price fixing. So you're wrong :)
            NetArch.
          • Forgot one thing:

            It's you pro-proprietary guys who are spreading the myth that Linux is free. Like it's been explained plenty of times to you guys, it's Free as in Freedom, not Free as in Beer.

            And Freedom means that the software remains free/libre and can't be taken private...
            NetArch.
          • It's statements like yours

            That make everyone scratch their heads at why a company like Google can use Linux to it's heart's content w/o sharing any source code changes. It's been widely reported, not just my opinion, that Google uses a highly modified version of Linux to power it's servers. Those servers also power it's search engine and it's enterprise apps. How come no freedom from Google? When are the GoogHeads going to start complying with somebody, ANYBODY, and do the right thing? <br>
            Other than their 10 to 20 Billion a year to Mozilla for advertising in FF and the engineering work they provide to create FF 2.0 and next 3.0. Now that work has to be open for sure, right? The googlefox browser 3.0 that is? <br>
            why can starups like SNORT be bought out for 250M, to make the original owner rich, and then the make all new code proprietary and users who'd been using snort for years with free updates, suddenly have to pay for them. Is that code open? If so, how can they charge for it, if it's public domain, as in freedom man.
            xuniL_z
          • Um Google is in compliance with the GPL

            in that they are not redistributing the changed code. They are using it in house. What's wrong with that? You see this is where you and No Axe always get confused about GPL software and Linux. NOW if Google were to make changes and redistribute them WITHOUT the source code... and so long as those changes were to GPL'd code, then you would have a leg to stand on. BUT if they include proprietary changes that DO NOT incorporate GPL code then they are also covered.

            This is why noone has gone after Google, they are abiding by the GPL. ]:)
            Linux User 147560
          • Ok, then they are walking a fine line, no?

            Are you saying because their products are not distributed in the old way, via physical media, they are within the license terms on their enterpise apps? What about when they require Googfox 3.0 for offline capabilities. They will officially have a client then, won't they need to release their source at that point? What's the point of having "freedom" of open source if it's so easy to just use the code for free (who has Google paid for Linux? Do they just download free distros and ghost them and load all their machines for free? And with the 10 billion in revenue from that code base, they don't have to share a thing? That's no different than how a Microsoft software vendor operates. Same with Salesforce.com, I know you aren't in love with this company, what's their excuse? I don't have time to read the GPL, which according the Torvalds, the FSF is bastardizing. What part of Linux source code is not under the GPL? Why are people backing these companies that just take Linux and hoarde their changes and make tons of money. Other than the propogation of Linux within that company. Is that the only reason a hardcore is ok with it? Originally, as I understand it, under version 2.0 it's simply a quid pro quo and any changes to sourcecode must be shared?
            What about Google Desktop?? It's redistribued. Is the source available for that?
            xuniL_z
          • Also, it's not "guys like me"

            That are spreading that Linux is free. It's the army of linux crusaders who post time and time again things like why pay 399.00 blah blah for Vista, when Linux is free. <br><br>
            Explain free and in freedom? What's the advantage of having the source at low levels to most businesses. almost zero. Why would anyone change code in the kernel or subsystems? Wouldn't the next update to that distro overlay you custom? Wouldn't that be a vicious cycle and very cost prohibitive? Most companies want an OS that works out of the box, that is easy to deploy and provide administration. Windows is a great example of that model. I've found Active Directory and Group Policy, to just talk at a higher level, to be as easy as it gets. IT generalists can setup a windows network, win2003 AD domain with exchange 2003 and XP clients w/o outside expertise. Any problems that do crop up can always be dealt with from the massive amount of info on the internet. <br>
            I'm only saying this because you speak of me as a "proprietary guy". Yes, I use "proprietary" software. Is that considered evil in your world? Do you use it? Do you hate it? I'm not sure why so many do. It's like a tool that does a certain job or entire system of functions in a nice unified and integrated manner, that's a great tool to have in your toolbelt, no?
            xuniL_z
          • That's easy

            maybe there is something custom a small business needs or wants. Having the source allows them the ability to hire a programmer to accomplish the task far less costly than if the source code is hidden.

            As for an OS that works out of the box, Linux does. Quite well too for that matter. Well at least for those of us that aren't locked into a singular mindframe of Microsoft only. And to use your own words [B]"Any problems that do crop up can always be dealt with from the massive amount of info on the internet."[/B] this is very true of Linux as well.

            Now free as in freedom explained (yet again!):
            1. The license does not restrict you to how many systems you can run on - Freedom #1 No limit to installations!

            2. The OS does not force you to verify you are the actual owner of said OS - Freedom #2

            3. At anytime you are displeased with said version of OS you can readily move to another - Freedom #3

            4. Integration into your infrastructure is simple and based on open standards. There are no secret hand shakes to play nice - Freedom #4

            5. You may give your OS to as many and whomever you wish whenever you wish with no restrictions (other than GPL, but hey all software has some form of licensing attached to it!) - Freedom #5

            6. You have the choice to pay for your OS and support or to go it on your own for $0.00 investment in software and support - Freedom #6

            So there are at least 6 freedoms and I am sure there are others that I have missed or forgotten. Does that answer your question... well probably not. Hey can't say I didn't try! ]:)
            Linux User 147560
          • Just a few more questions.

            <i>maybe there is something custom a small business needs or wants. Having the source allows them the ability to hire a programmer to accomplish the task far less costly than if the source code is hidden.</i><br><br>
            It is rare that a company wants custom work at the level BELOW APIs. For the vast majority MS, for example, provides a very powerful programming environment with the ability for very low level interaction with devices etc. <br>
            More importantly, you don't have to worry about updates to your system stepping on your source code. It is seldome updates affect your custom indirectly either. <br>
            you avoided that question. What about changes to the source of Linux. Surely the company will want to take updates etc. How do they handle it when their catalog of custom code keeps getting stepped on and needs reimplemented. I've worked with Open source before (believe it or not!!) and this was a huge and costly part of maintaining it. You need an FTE just to handle this, and that is in a small to medium business. Large companies would need to put a lot more resource into just managing source code change. Seems hardly worth it considering people normally don't need to change the kernel of their OS.

            <i>As for an OS that works out of the box, Linux does. Quite well too for that matter. Well at least for those of us that aren't locked into a singular mindframe of Microsoft only. And to use your own words "Any problems that do crop up can always be dealt with from the massive amount of info on the internet." this is very true of Linux as well.</i>
            I guess this is true, but I don't believe it's as easy, or cost effective as going with Windows. I believe there are more resources needed to deploy and to maintain a Linux shop over a Windows shop. This also seems to be convential wisdom now.

            <i>Now free as in freedom explained (yet again!):
            1. The license does not restrict you to how many systems you can run on - Freedom #1 No limit to installations!</i><br><br>
            I think this could be illegal. But nobody is going to prosecute it. If there were 20 proprietary software vendors serving equal amounts of the business world for business, and Linux comes along and a vendor allows free downloads of their OS in unlimited quantities, there would be big legal issues. It's only because the political climate, IME, that is is even occurring at all.<br><br>

            <i>2. The OS does not force you to verify you are the actual owner of said OS - Freedom #2</i><br><br>
            this is not really a freedom to me. If you are paying zero, you are getting zero support. That's why there are Red Hats, and Novells and IBMs etc. right? the assumption is they can make as much in service as in selling the software. We are not talking charitable organizations here. Rare is the business that is going to just start downloading Linux w/o either beefing up it's IT staff to a costly amount or purchase service seperately, which could turn out in the long run to cost more than buying once up front. <br><br>


            <i>3. At anytime you are displeased with said version of OS you can readily move to another - Freedom #3</i><br><br>
            Same with Microsoft. It's very easy to extract all of your data from a Windows based network into standard format. That takes care of your data, now just reimplement it on your next system of choice. All custom programming may need ported, but that's part of being a society that is not like a long line of clones. You may want to move to an Apple client. No less work with Linux than Microsoft to migrate.
            <br><br>


            <i>4. Integration into your infrastructure is simple and based on open standards. There are no secret hand shakes to play nice - Freedom #4</i><br><br>
            Again, if the whole world was the same and everything played nice we could have a giant parade and give away fee cars or something I suppose. That is not how the world works. Thank God!!<br><br>

            <i>5. You may give your OS to as many and whomever you wish whenever you wish with no restrictions (other than GPL, but hey all software has some form of licensing attached to it!) - Freedom #5</i><br><br>
            you don't explain NON GPL'd software. People can take free Linux, ignore the licensing and do what they want? Or what? To me is sounds like any legitimage or respected linux would use the GPL (as bastardized and run by crooks at FSF as it is), so your freedom here is moot<br><br>

            <i>6. You have the choice to pay for your OS and support or to go it on your own for $0.00 investment in software and support - Freedom #6
            </i><br><br>
            Again, this has legal ramifications. I don't understand why it would be legal. If you were a multi-billionaire and decided you were going to give away free cars to everyone over an extended period of time (or even just once if it's everyone). For one, it's directly against the commerce act and would be constitutionaly illegal in the U.S. <br><br>
            <i>
            So there are at least 6 freedoms and I am sure there are others that I have missed or forgotten. Does that answer your question... well probably not. Hey can't say I didn't try!</i><br><br>
            What about the "freedoms" of proprietary software? Freedom of support. Freedom of overpaying for a fully unifed system, which even then could never be really unifed. Freedom of full integration from client to every last server product. etc.
            <br>
            Linux is fine. As long as it competes fairly under the law and doesn't have a lead non profit organization like the FSF running smear campaigns with it's money. Like someone you admire has said.......<br>
            http://linux.slashdot.org/article.pl?sid=06/02/03/144250<br><br>
            you are not a crusader...right?
            xuniL_z