'Responsible disclosure' is probably one of the worst things to happen to the cyber-security industry, and the $100K carrot-on-a-stick is only going to make it worse.
Selling exploits to customers who don't intend on fixing the exploit (buying a hacker's silence) is exactly the nightmare that came to light regarding MS releasing exploit information to NSA prior to releasing publicly-available bugfixes, and these kinds of monetary incentives to the security community will only make things worse.
Where's a professional vulnerability researcher I can read making the same case? My feed is full of researchers saying how great this is, and how big an accomplishment it was that Katie Moussouris and her team managed to pull it off after Microsoft publicly declared itself opposed to bug bounties.
The work required to build reliable exploits against hardened Windows can take months. Why shouldn't researchers be compensated for that work? If you don't want to accept payment for it, that's fine; don't. But why is it bad for other people to do so?
I'm not arguing about compensation, I'm arguing about public safety. People and organizations selling exploits are effectively complicit in the damage resulting from their sales.
That's exactly my point, which is why it's dangerous. If the exploits were made public as soon as possible (full disclosure) then MS will have incentive to release bugfixes as soon as possible to the general public.
By taking the cash, I am sure you are bound by secrecy enforced by jail time. I see these increased payments as hush money to keep researchers quiet while they feed them to the NSA for zero day exploits.
Not to mention, the outsider is a complete unknown. Are they an upstanding white hat? Or are they the darkest of greys? You have no idea.
At least an internal employee is on your payroll, and has been screened with a background check. You don't get to screen which people get to discover vulnerabilities.
While that might decrease the total number of days in a year when there are unpatched exploits that MS knows about, it would increase the total number of days in a year when there are exploits known to hackers. I don't think that would make us safer.
Microsoft releases this exploit information to governments as a matter of policy, and the governments accordingly conduct clandestine operations and cyber-attacks using this exploit information.
MS is in the unique position of being the only ones able to fix the exploit so they are a single-point-of-failure, which diminishes the security of everybody using Windows operating systems.
No, Microsoft releases vulnerability information to the government along with private companies in the antivirus and intrusion prevention space. They do this because they have a coordinated patch schedule that creates windows of known vulnerability.
Microsoft does not have the in-house expertise to feed exploits to anyone.
> Microsoft does not have the in-house expertise to feed exploits to anyone.
I agree with you everywhere else in this thread, but you are clearly not up to speed on who works there if you believe that to be accurate. Some of the best exploit writers, who have pioneered new classes of techniques, work at Microsoft (because Microsoft went on a recruiting spree to target them).
I know who works there and believe my statement to be accurate; remember, we're talking about the total volume of all vulnerabilities discovered in Microsoft products.
If you are narrowing the scope of your claim to say that Microsoft doesn't have the expertise to write exploits for every version of every product affected by every vulnerability, ok, sure. That isn't what was suggested though, and isn't something any reasonable person would have implied.
Then again, the notion that Microsoft dedicates resources to serve as an outsourcing shop for NSA hackers to develop "cyber weapons" no longer has "reasonable person" anywhere on the horizon. That's not even worth entertaining, I just had to interject because I thought you were saying MS doesn't have good exploit writers ;)
I do think the MAPP equivalent for governments, probably as an unintended side effect, grants some advantage to parts of the .gov interested in attacking the products. How much, and whether or not they need it, is another story. But I agree that the NSA sure doesn't need their help - it's probably just a bit of free gravy if anything.
And in Microsoft's defense, it really wouldn't matter if they gave them to the NSA or not. The distribution list is very large, and the teams who ultimately receive that content are not vetted in any way.
Groups brokering exploits is definitely scary stuff. But the non-privatized government researchers have existed long before them and are better at keeping silent and therefore largely perpetual exploits.
Under it all, the current model remains a by obscurity model, where anyone with orders of more magnitude of resources can certainly do enough reverse engineering to find the weak links and break in without planting backdoors.
Vendors reaching the point where they can offer bounties without contemplating bankruptcy implies considerably more resources are going into secure by design software and will continue to flow if they plan to remain solvent and unembarrassed (equally emabarassed?)
I've been playing with a chromebook and I am delighted to see frivolous and even fairly significant features were dropped to develop a secure boot model with a reasonable opt out. I'm sure it will still be broken, but 5-10 years ago it would have been trivially breakable to meet some last minute corporate request for tftp booting, marketing demo, or what have you..
Similar to the drug market, you can not drop the open market and expect everything to stop. Instead you must capture as many resources as you can and direct them to the right goal. I would hope that goal is secure kernels that expand out towards today's features, since the opposite clearly does not work with the resources at hand.
Selling exploits to customers who don't intend on fixing the exploit (buying a hacker's silence) is exactly the nightmare that came to light regarding MS releasing exploit information to NSA prior to releasing publicly-available bugfixes, and these kinds of monetary incentives to the security community will only make things worse.
Read more: https://www.eff.org/deeplinks/2012/03/zero-day-exploit-sales...
These exploits are effectively high-tech weaponry and they should be treated similarly.