Hacker News new | past | comments | ask | show | jobs | submit login

These are people selling vulnerability research to the only company in the world that is capable of effectively fixing those vulnerabilities.



That's exactly my point, which is why it's dangerous. If the exploits were made public as soon as possible (full disclosure) then MS will have incentive to release bugfixes as soon as possible to the general public.


If you want to release your vulnerabilities publicly, Microsoft isn't stopping you.


By taking the cash, I am sure you are bound by secrecy enforced by jail time. I see these increased payments as hush money to keep researchers quiet while they feed them to the NSA for zero day exploits.


Why would Microsoft sell the NSA exploits some black hat came up with against their own operating system? They can just install a backdoor.


They do not have to pay a programmer to put in a back door who may one day talk about it. Fewer people need to know about the program in general.

By default a naturally occurring exploit probably upon inspection looks less intentional then one put there on purpose.


Fewer people need to know about the program in general

. . . except for the outsider who mailed them about it and got paid a chunk of money as a result.


Not to mention, the outsider is a complete unknown. Are they an upstanding white hat? Or are they the darkest of greys? You have no idea.

At least an internal employee is on your payroll, and has been screened with a background check. You don't get to screen which people get to discover vulnerabilities.


This person would just be reporting a exploit and and getting paid for it.

They would not know about the program which takes that exploit and then gives it to the NSA.


And why would a programmer know it was for the NSA? Just tell your underling, "We need a backdoor for <Plausible reason>"


You're either a bad troll or you would make a bad co-conspirator. Just commit a security bug to your own product and save the 100k, duh.


Microsoft can't jail anybody.


Jail time? I don't think so, but I could see MS making you sign an NDA to get the money. There may be other criteria they use in order to pay out.

Nevertheless, I don't see how this is a bad thing.


So put your money where your mouth is and build a consortium that will pay researchers to release them publicly.


While that might decrease the total number of days in a year when there are unpatched exploits that MS knows about, it would increase the total number of days in a year when there are exploits known to hackers. I don't think that would make us safer.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: