Wednesday, June 19, 2013

Even Microsoft has to pay for it

Microsoft has joined Google, Mozilla, and the rest by finally offering a bug bounty.

In the past, Microsoft didn't have to offer bounties. Windows was ubiquitous. Whenever something crashed, security professionals would launch the debugger, figure out what crashed, how to repeat the crash, and thus, find the vuln. Disclosing the bug to Microsoft, and getting credit for it, was an important resume builder. A lot of early cybersec pros got their first high-paying jobs based on their public disclosure of vulnerabilities.

In addition to the carrot, Microsoft had a stick. Because of its dominating position in the industry, most company's survival depends upon goodwill from Microsoft. With it's "responsible disclosure" policy, Microsoft has made it clear that this goodwill would disappear if people didn't follow their policy, such as disclosing a bug before Microsoft fixed it (even if it took them a year to fix it). This intimidation forced many security researchers to play along.

Then the things changed. Starting about 10 years ago with WinXP SP2, Microsoft go real serious about defense. They went from the joke of the industry (though unfairly) to the leader in writing secure code. We professionals spend more time with our iPads, Androids, and other systems and less time with Microsoft products. We are less likely to come across bugs accidentally in daily use, and we are less likely to be intimidated into responsible disclosure.

The biggest change has been the rise of the "vuln market". Instead of pimping your vuln for fame, you can now sell it to an interested party, such as Russian organized crime, Chinese spies, or the NSA cyberwarriors. The right bug, to the right customer, at the right time, can be worth $1 million. Even crappy bugs can be worth $10,000. That means Microsoft can no longer count on people disclosing bugs to them -- they have bid against the Russians, Chinese, and Americans.

Bug bounties from the vendors still pay lower than the "market rate", for good reason. If you sell to the Russians, you may find yourself (or a family member) getting kidnapped. If you sell to the NSA, you might find the FBI raiding your house. Also, you don't know who, precisely, to sell to, so you'll be going through a middleman, who will take a cut. Thus, the safest and surest route is to sell your bug to the vendor -- even at a fraction of the price.

No comments: