HN Gopher Feed (2017-07-26) - page 1 of 10 ___________________________________________________________________
Announcing the Windows Bounty Program
140 points by el_duderino
https://blogs.technet.microsoft.com/msrc/2017/07/26/announcing-t...___________________________________________________________________
eitland - 3 hours ago
I reported an information leakage from password fields in Windows
some moons ago (ctrl arrow would stop between different character
classes in modern Windows style password fields.)I don't think this
was a big find but I remember I was still somewhat underwhelmed by
the response.
crsv - 3 hours ago
With the increasing number and value of these bounty programs, how
viable is a career in professional free lance security bug hunting?
j0hnml - 2 hours ago
I wonder the same thing. The only downside I can see is that the
more days that go by while bug-hunting, the more anxious I'll get
about not having a consistent biweekly paycheck. It would be a
very results-driven career ? la sales, but I'm not sure I could
take that stress.If you are legitimately good enough, there are
certainly companies out there who will pay you well and
consistently to hunt for bugs/vulns.
tptacek - 3 hours ago
It's doable, but if you're good enough to somewhat routinely find
bounty-worthy bugs but not spooky good at it, it's not the most
lucrative way to put bug-hunting skills to work.
cperciva - 3 hours ago
I've noticed a spike recently in bug bounties going to people
who using a combination of fuzzing and code analysis tools. It
may be that we're moving to a point where bug-hunters' ability
to use sophisticated tools will be what earns them the most
money, rather than their ability to eyeball code and see the
bugs.Speaking just for myself: A few years ago I was saying "I
should really set aside a few months to learn to use fuzzing
tools"; now I'm saying "it's easier to just offer bounties and
let someone else do the fuzzing for me".
dsacco - 2 hours ago
As those tools become more widely used and more easy to use,
you'll be able to lower the mean bug bounty reward payment as
well.
dsl - 2 hours ago
I did this on a popular bug bounty platform. Wrote a tool to
look for the top 10 most common issues with mobile apps and
auto submit bugs.Fuzzing is where you are going to find most
memory corruption bugs these days, bounties or not.
mindingdata - 2 hours ago
There was this thing called "Hostile Subdomain Takeover"
where a company would point a subdomain to a particular SaaS
product (Say Zendesk), sometime later, they would cancel
their subscription but not change the A record.Someone could
then go and register a new Zendesk account (If the service
doesn't require proof of ownership of domain), and say that
they want to use the same subdomain. Now they have a Zendesk
account with the URL of http://help.somedomain.com as an
example. And they can phish people quite easily.Anyway, the
reason I bring it up is because for a while, I saw people
spamming the shit out of bug bounties with this stuff.
Because it's super simple to do.So I'm not sure what is more
lucrative for an average joe, actually learning proper
techniques or trying to piggy back on some low hanging fruit
that may be easy to automate.
thaumasiotes - 21 minutes ago
This is definitely still a thing.
dsacco - 2 hours ago
And even if you're "spooky good", you only really need to be
spooky good for six - 12 months before something like Google
Project Zero will pick you up to (in all likelihood) pay you
far more anyway.
[deleted]
marcoperaza - 3 hours ago
My understanding is that the grey market for exploits is way more
lucrative than the bug bounty programs.
tptacek - 3 hours ago
It is in the very specific case that:(1) You are effective at
finding the specific kinds of vulnerabilities that the grey
market actually purchases. People have _very_ weird ideas about
what the grey market wants. In reality, if your bug isn't a
drive-by clientside in a popular client, it is unlikely that
anyone wants to buy it.(2) You are willing to get your hands
dirty with shady purchasers. If you're talented, you can make
good money in the grey market, or you can retain plausible
deniability about what your work is being used for, but you
can't do both of those things.That first case is really the
limiting factor. And remember, if you can reliably sell bugs to
the grey market, that strongly implies you have lucrative
options in the legitimate market. Bug bounties are not the most
competitive alternative to the grey market!
dsl - 2 hours ago
> In reality, if your bug isn't a drive-by clientside in a
popular client, it is unlikely that anyone wants to buy
it.That sounds like black market buyers (maybe we disagree on
where the "gray" line is). Governments are very interested in
bugs that allow pivoting and lateral movement.
daddyo - 2 hours ago
How would one, hypothetically, go about selling
exploits/bugs to governments as a freelancer?
big_youth - 2 hours ago
Plenty of brokers exist, I'm personally familiar with
Exodus Intelligence and Zeroduium
dsacco - 2 hours ago
The nature of the work is such that:1. If you have to ask
this question, you are quite far from being able to do it
any time soon (and that's assuming you can find the
vulnerabilities!),2. You will predominantly sell your
vulnerabilities, preferably weaponized as complete
exploits, to firms that specialize in "vulnerability
research" and "exploitation development" with close ties
to government agencies.It's much easier to find a firm
that can act as a broker between you and the government
agency than it is to knock on the right doors to sell it
on your own, with no background or prior contact.
AngeloAnolin - 2 hours ago
Overall, I feel this is a good move by Microsoft. Admittedly from
their side, they won't (or cannot) cover all security holes from
their system. Asking help from external sources and rewarding them
appropriately is also good, allowing them to patch their system. In
turn, end users will (hopefully) get an OS that is secure. Win for
everyone. Way to go MS!
jumpkickhit - 2 hours ago
Bounties for Edge? Isn't it less than 5% in browser market share?I
like the fact they're offering a bounty program, I'm just surprised
Edge was included I guess.
ocdtrekkie - 2 hours ago
Edge is the recommended primary web browser of Windows going
forward... so yeah, it kinda makes sense for them to include it.
tiffanyh - 3 hours ago
I wonder what impact this will have on open source software
(OSS).OSS can't afford to pay people to look for bugs and improve
the overall software. But commercial companies can.I wonder if
there will exist a date/time in the future where closed-source
software, because of these bug bounties, will yield better (less
buggy) software vs OSS.
cgb223 - 3 hours ago
Maybe we should start some sort of foundation dedicated to
providing the same incentive to find bugs in OSSI'd imagine there
are a lot of programmers who would be interested in supporting
something like this
43gg43g32g - 3 hours ago
OSS already had bug bounties a long time ago.
markstos - 3 hours ago
Many companies large and small already pay penetration testers to
try into break into their Linux-based servers on a regular
basis.I was personally involved in a case where a recognizable
brand's pen testing effort lead to a fix a well-used piece of
open source software.There is a lot of open source is already
being fixed thanks to commercial interests.
tptacek - 3 hours ago
Facebook, Github, and Microsoft already co-sponsor a well-funded
open-source "Internet bug bounty".
darawk - 3 hours ago
It seems like this might be in part balanced by the fact that
it's much easier to find vulnerabilities in open source software,
since it's open source.
harigov - 3 hours ago
If you think about it, it was always that way. However, a lot of
companies that depend upon open source software also invest on
it, so it also gets a reasonably good number of eyes trying to
fix bugs and add features.
computerex - 2 hours ago
I think that is already the case to some extent.
jklein11 - 3 hours ago
Similar behaviors likely exists in OSS they are just called
different things.For example, ACME Co uses open source project
XYZ. Acme Co uses resources to make sure that XYZ is secure and
bug free. Acme Co is then incentivized to contribute any changes
they have found, because they would like to stay in sync with the
master branch of XYZ so they can get any updates the community
pushes.In the case of OSS, the pool of resources is likely far
bigger than with closed source software.
efdee - 3 hours ago
That's how the theory goes, but how often does this really
happen though? See: OpenSSL
tptacek - 2 hours ago
The simple reality is that when it comes to vulnerability
research, Microsoft : Windows :: Google : Open Source.
skrebbel - 2 hours ago
On the other side, e.g. Egor Homakov hacked GitHub a few
times through vulnerabilities in Rails. GitHub paid him
bounties anyway. I'm no expert, but it appears to me that at
times it does work, just not always.
sliverstorm - 2 hours ago
Well, the kernel, right? Many many major corporate
contributors. Kind of the opposite of OpenSSL, I guess, which
everyone uses and no one seems to maintain.
groby_b - 1 hours ago
See: BoringSSL
kazinator - 23 minutes ago
To begin with, some OSS doesn't even know how to treat people who
report bugs.
strictnein - 3 hours ago
> If a researcher reports a qualifying vulnerability already found
internally by Microsoft, a payment will be made to the first finder
at a maximum of 10% of the highest amount they could?ve received
(example: $1,500 for a RCE in Edge, $25,000 for RCE in Hyper-V)Wow.
I guess this kind of functions as hush money? To make sure they
don't reveal the issue before MS patches it. But still, this seems
like a good move.
crazcarl - 3 hours ago
I wonder how often it happens that a company lies (or stretches
the truth) about already knowing about a vulnerability to avoid
paying a bounty. If it happens even sometimes, the 10% might
provide additional incentive for researches to target Microsoft.
Even if they don't get a full payout, at least they get
something.
43224gg252 - 2 hours ago
A company would never lie. Especially Microsoft.
canadianwriter - 2 hours ago
My sarcasm detector is acting a little wonky - there is no
real reason for Microsoft to lie about this, it isn't exactly
breaking the bank for them.
devrandomguy - 2 hours ago
Microsoft is composed of people. The people we worry about
here, are the ones who might be incentivised to discover
exploits before an outsider. They would have an incentive
to back-date their work, or their subordinate's work.
Analemma_ - 1 hours ago
They're not stupid. If they cared so much more about
pinching every last dollar than about security, they
wouldn't have launched the bug bounty program at all.BTW,
as others have mentioned, this is strictly better than
the policy of other bug bounties until now, which is "We
already found this, so you get nothing"
tptacek - 2 hours ago
Microsoft is not lying about vulnerability discovery.
JoshTriplett - 3 hours ago
It also encourages researchers to do research, by making it less
likely they'll do a pile of research only to be told "sorry, we
already found this, you get nothing". Right now, pursuing a
bounty is a risky proposition; this makes it less risky.
strictnein - 3 hours ago
Yeah, good point. "Hush money" may have been a little too
harsh.
monocasa - 3 hours ago
It's good to see the bounties increasing to the range you could get
on the open market.
Analemma_ - 3 hours ago
Every time you compare a bug bounty payout to the price of
vulnerabilities on the open market, tptacek dies a little inside.
Please, think about poor Thomas.
tptacek - 3 hours ago
A lot of the high-dollar bugs Microsoft is soliciting here
actually do have grey-market value.
mercurysmessage - 3 hours ago
Yes, I'm pretty glad this is around. Hopefully it will lead to
less NSA exploits.
astrodust - 3 hours ago
The NSA will just have to pay more.
Fej - 3 hours ago
They have an almost unlimited budget, as far as we know.
monocasa - 3 hours ago
Eh, I don't know anyone who when faced with managing
billions of dollars has said, "OK, this is enough money".
mercurysmessage - 3 hours ago
Where the people pay increased taxes to help the NSA spy on
them easier.
mtgx - 3 hours ago
That $50+ billion black budget doesn't spend itself.
tptacek - 3 hours ago
Which is actually sort of a worst-case scenario (not that I
think this bounty is bad), because NSA's primary objective is
in fact not to hack all your Windows machines, or even to
hack anyone's Windows machine. NSA's primary objective is to
secure more budget/headcount for NSA.
cperciva - 3 hours ago
While that's true, the NSA's secondary objective is to be
the only people who have an arsenal of exploits. Since
they have the largest budget, having the price of exploits
go up only helps this goal.
tptacek - 2 hours ago
Right. I don't think bounties like this alarm NSA in any
way. In fact, since NSA probably believes it has a
practically unlimited capability of acquiring Windows
vulnerabilities, the bounty probably helps, by taking the
heat off them and the intractable notion of a
"vulnerability equities process".I think it's more
important to remember the NSA's primary goal in other
security conversations. What you really don't want to do
is propose protocols that leave plausible-but-difficult
attack vectors for NSA, because "plausible-but-difficult"
is probably inscribed in Latin on some seal somewhere in
Ft. Meade.
ourmandave - 3 hours ago
That max hyper-v payout of $250,000 reminds me of the TV Trope Just
Cut Lex Luthor a Checkhttp://tvtropes.org/pmwiki/pmwiki.php/Main/Cu
tLexLuthorAChec...
legulere - 2 hours ago
Usually you can get more money for exploits on the black market,
than from bug-bounties. Governments from all around the world
have a lot of money to spend to buy exploits.
oxide - 3 hours ago
Its about time. I hope the incentives stay strong enough, and dont
require hoops to jump through. otherwise the gray/blackmarkets
could out-bid the bounty and cut the red tape to incentivise their
own acquisition of the exploits in question.
tptacek - 3 hours ago
Microsoft has been doing this for a long time; they're one of the
pioneers of bounty programs.
ygjb - 54 minutes ago
Much respect to Microsoft and their new found love of bounty
programs, but pioneer is a bit of a stretch - they launched
their first bounty program in 2013, well after third party bug
bug buyers like ZDI, and even after BugCrowd and other bug
bounty as a service companies launched.
v4n4d1s - 3 hours ago
Dear Microsoft>Any critical or important class remote code
execution, elevation of privilege, or design flaws that compromises
a customer?s privacy and security will receive a bountyWindows 10
has a major design flaw which compromises your customers privacy
and security. You call it Telemetry and it can't be disabled
completely(definitely a bug! Nobody would make such a stupid
decision, amiright?).Please send me further instructions on how I
can claim my 250k.Also: Why is there nothing for Server 2016?
eitland - 3 hours ago
Defending you here:In this setting this is relevant even if
funny.I'll still downvote you for the same comment elsewhere.And
I mostly defend MS for enabling telemetry by default but I don't
defend how absurdly hard they have made it to disable it.
43gg43g32g - 3 hours ago
Don't know why you got downvoted for this on a hacker forum.
devrandomguy - 2 hours ago
From the site guidelines
(https://news.ycombinator.com/newsguidelines.html):> Please
avoid introducing classic flamewar topics unless you have
something genuinely new to say about them.For the record, I'm
not the one who downvoted the parent for an honest question.
Someone1234 - 2 hours ago
It is off-topic.There are threads where it would be relevant,
in this case they're just using this thread as a sounding board
because the title contains the word Microsoft. Plus we have all
read near identical posts and the corresponding discussion
hundreds of times already, because they appear in every thread
that brings up Microsoft.It is kind of like Godwin's law,
except instead of Hitler it is telemetry and Microsoft. If
there is new information or new things to discuss, absolutely
let's talk about it, but repeating the same complaint gets old
after the nth time.
mercurysmessage - 3 hours ago
Just like Apple, yet no one complains about them.
nilved - 3 hours ago
Where do you live where you're not hearing complaints about
Apple?
mercurysmessage - 3 hours ago
Not Silicon Valley ;p.I never hear anyone complain or hardly
anyone even knowing about it.
mrkrabo - 3 hours ago
Because you can disable it. No?
mercurysmessage - 3 hours ago
Yes, with some effort: https://github.com/drduh/macOS-
Security-and-Privacy-GuideYou probably could with the
same amount of effort for Windows, but at least Windows
makes it more clear that it is happening.
GeekyBear - 2 hours ago
As far as telemetry goes, there is a simple on or off
checkbox in the Security and Privacy control panel.
unit91 - 2 hours ago
I'll never understand why so many people think whataboutism
is a valid form of counter-argument...
cm2187 - 23 minutes ago
I am mostly surprised by the absence of server 2016 as well
kazinator - 26 minutes ago
> Bounty payouts will range from $500 USD to $250,000 USDI will
need some $25K in cash upfront to be convinced to start using
Windows 10.
kazinator - 20 minutes ago
Not complaining, but technical question: how did that get a
downvote when it was 3 minutes old? I have a 5 minute delay
configured!I saw "0 points"; then refreshed browser; still said
"3 minutes ago". Rubbed eyes, checked profile settings: "delay 5"
still configured."delay" is a profile parameter which specifies
the number of minutes which elapse from when you initially create
a comment to when it becomes published. This gives you a chance
to edit or retract your comment before it is subject to public
criticism. I've never before seen a voting or reply event occur
on a comment prior to the expiry of the delay.(Maybe some clocks
are way out of sync between some distributed servers, so 3
minutes old here means 5 minutes old there? Or maybe NTP suddenly
stepped a lagging wall clock forward by a couple of minutes?)To
the topic: how much $ can I get out of this? ;)
seanhandley - 18 minutes ago
Wow. About time.