Should Microsoft start paying for vulnerabilities?
section: microsoft, for your questions: KezNews forum, 16.3.2007
Tip: Click here to update all your PC's outdated driversHackers are starting to agitate for Microsoft to start paying for information on security flaws found in its software products.
The issue surfaced this week after the MSRC (Microsoft Security Response Team) posted a message on the sla.ckers.org message board, calling on third-party researchers to submit vulnerability information directly to Redmond before going public.
The invitation which extended to bugs found in all of Microsoft online web properties such as *.microsoft.com, *.msn.com and *.live.com is part of Microsoft's insistence on the concept of "responsible disclosure," where researchers give advance notice to affected vendors but, for the first time, the response from hackers suggest it's time for Microsoft to offering cash rewards for flaw information.
Immediately after Microsoft's Sla.ckers.org post, "digi7al64" replied with this:
[I] propose MS implement a reward system where you agree to pay cash for vulnerabilities found within your domains. The benefit of this I suggest would be flood of vulnerabilities reported the first few months which would tapper off to only 1 or 2 intermittently as new systems come online.
The cost of this type of project would be relatively low and if you placed a sliding scale on amount paid (based on the vun) I'm sure you could get away with it for less then 20-50k all told
which in the big scheme of things is a drop in ocean for MS.
Information on software defects are considered extremely valuable vendors use it to improve the quality of products but the existing "responsible disclosure" system gives the information for free to software vendors, even those with deep pockets.
The existence of third-party brokers like Verisign's iDefense VCP and 3Com Tippingpoint's ZDI has validated the market for software flaws and given white hat hackers a place to make money for their work but there is a growing feeling that the big vendors especially Microsoft should set up a bug-bounty program that tangibly rewards external researchers.
Microsoft's official policy is that responsible disclosure works just fine and the credit given to bug finders in security bulletins is more than enough but a burgeoning black market and the spike in zero-day attacks provide proof that the status quo needs fixing.
source:
blogs.zdnet.com
>> Click Here to Run a Free Scan for PC Errors <<
Send link 2 friend | Permalink
MORE RELATED ARTICLES:
Windows 7 RTM Safe from Vista and XP Critical Vulnerabilities || Start Windows || AT&T to start sending copyright warnings || Fix Windows 7 Does Not Start After Force Shutdown of Computer || Windows 7 Upgrade Program start date shifts to June 28
Comments(7)
seems like a fair proposal. when microsoft goes around charging an obscene amount for
windows vista, i think it's only fair for them to pay people who find bugs, which helps
microsoft and would cost them to have others do it for them. no freebies microsoft. you
want to screw us over, we are going to do the same to you.
i think so.. this might make microsoft think twice with there poorly/crappy coded
products..
microsoft should pay each and every customer of a particular product that has the
vulnerabilities each and everytime a vulnerabilitie comes out.. lets say $50.00 usd each
time..
the concept of a bug-bounty sounds all well and good, unfortunately it could have the
opposite effect in terms of security. encouraging "hacking for cash" can be very
dangerous and could easily lead to more script-kiddies going that extra mile and crossing
legal boundaries for a bit of extra pocket money.
there are often considered less
bugs in other os's, but it's generally about the number of users (and therefore testers)
as well as things like their test plans and release cycle.
so, it sounds good in
theory but could lead to more exploitable bugs being leaked and more script-kiddies
learning the hardway about ethical hacking.
seems to me that it is a profitable means for those that find these vulnerabilities now
anyways...as more people that find these holes are selling these vulnerabilities
underground or to security firms. so, why not have microsoft fork over the money for
these holes. the people they pay to secure their software aren't doing the job
apparently, so why not reward those that do find these vulnerabilities.
microsoft should program their own products, instead of stealing and copying from other
third party programs.(internet explorer 7 copied from mozilla firefox, tabs etc) with
apple mac you cant even get a virus even if you try, and thats without a antivirus
installed.i recently visited apple.com and they have an advertising slogan which reads
"why upgrade to vista when you can upgrade past it?"
anyone who helps microsoft
without being paid, should simply be hung and quartered. the mac operating system is so
advanced it makes vista look like used toilet paper, you can even run windows inside a mac
system side by side!!! damn!!
that would mean it would turn into a big game of find the fault and people would do it
just for the money. so i dont think it will happen
No new comments are allowed for this article.
For your questions use our KezNews Forum
Windows 7 RTM 7600.16385.090713-1255 HERE !
Microsoft can't have it both ways
By ScytheNoire on 16.03.2007 - 11:03