Microsoft’s Brilliant Idea: A Bug Bounty Program!

It may be largely a locked-down PRISM world we’re living in today, but that doesn’t mean those of us here in the Linux blogosphere can’t still have a little fun once in a while — especially if it’s at Microsoft’s expense.

The latest opportunity?

Well, get this: Microsoft had a really good idea recently. *Really* good! Rather than relying on just its own, in-house team to find vulnerabilities in its software (phew, what a job!), Redmond has decided to… wait for it… launch a bug bounty program! Not just one, in fact, but three of them!

Gee, Google, Mozilla — why don’t you ever come up with good ideas like that?!

Ahem. Maybe it was a particularly long week — Linux Girl doesn’t actually remember — but for some reason, she found the notion hilarious.

Her barmates down at the blogosphere’s Broken Windows Lounge, as per their wont, had plenty of thoughts to share.

“Most of the responses I’ve been seeing to Microsoft’s bounty program are to the tune of, ‘about time!'” began Hyperlogos blogger Martin Espinoza. “My response is even snarkier: I presume that if they’d done this back in the XP days, they’d have run through their cash reserves in short order.”

Presumably, this latest move “signals a high level of confidence in Windows’ security, which by most accounts is relatively warranted today,” Espinoza said.

“I am generally in favor of bug bounties, as there is already plenty of monetary incentive to abuse security holes in one way or another, and I’d rather see Windows secure than have an easy target for mockery,” he added.

Similarly, “this is a good start, but I think Microsoft completely misunderstands why researchers cut back on reporting bugs to them,” consultant and Slashdot blogger Gerhard Mack told Linux Girl. “The simple fact is that people who report bugs do not like to see their discovery downplayed.”

The one upside, however, is that “now that there is money involved, they will fight back harder against their bugs being downplayed,” Mack added.

In the long run, “Microsoft will need to stop treating bugs as a PRproblem — until they make that change, Microsoft will still have a problem,” he concluded.

“Good for them,” began Linux Rants blogger Mike Stone. “Anything Microsoft can do to improve their product I’m all for.”

‘They’d Open Source the Whole Thing’

Mind you, “this won’t make me want to use Windows any more,” Stone added, “but it will help to stomp out all the needless malware traffic that’s constantly plugging up my Internet because of all the infected Windows machines on it, and that’s a good thing for me.”

Of course, “if Microsoft really wanted to secure their OS and improve its quality, they’d open source the whole darn thing and let the community look through the code,” Stone added. “Microsoft’s Bug Bounty program still doesn’t approach the advantages of open source. Maybe someday, Microsoft.”

Linux Girl ordered another round for the house after that last comment.

“If M$ were serious about bugs they would open their source code and allow the good guys to really go at it,” echoed blogger Robert Pogson. “Instead, white hats are restricted to the same old spray-and-pray tactics that occasionally find the computer science 101 bugs, buffer overflows and the like.

“M$ can do that itself,” Pogson added. “It doesn’t need the world doing it.”

‘Needless Complexity’

A more serious effort would mean opening the code and allowing the white hats to “find the needless complexity and poor design M$ has shipped to the world for decades in order to add useless features to the old software,” he concluded.

“Serious security requires many eyes — many more than M$ has on staff,” Pogson added. “It is a step forward to hire outsiders to test software, but M$ is years behind the rest of the world in doing that.”

Indeed, “Microsoft is waking up to the fact they are not the only ones in the OS arena, like it was some years ago when Linux was not such a garden-variety-potential-user’s choice and Mac was mainly a U.S. favorite,” Google+ blogger Rodolfo Saenz told Linux Girl.

“To me, it is also a way of recruiting new talent,” Saenz added.

‘A Win-Win-Win’

“I think bug bounty programs are a good thing,” opined Robin Lim, a lawyer and blogger on Mobile Raptor. “It attracts the right kind of people to scrutinize software, and may convince a fair number to trade in their black hats for white ones.

“Offering bounties earlier, while software is still in beta, means releasing more secure software,” Lim added.

It’s true that “Microsoft is a bit late to the party,” Lim conceded, “but it is joining in a big way, backing its bug bounty program with some serious money.”

That’s “not a bad way to put your licensing fees to work,” he added. “The program only covers some products Microsoft probably feels are most critical, but if the program is successful, I suppose we will see it expand. Looks like a win-win-win situation for Microsoft, the security community and the consumer.”

‘Just Common Sense’

For Slashdot blogger hairyfeet, the only questions are, “what took them so long, and can they offer more than the black hats?” he told Linux Girl.

“Offering a bounty for bugs is just common sense when you are talking about software used as widely as Windows, which is why Google has been doing it for a couple of years now, so better late than never,” he said.

At the same time, “with malware being a billion-dollar business and hacker kits like metasploit making money hand over fist, I have to wonder if any bug bounty will get anything more than the weaker bugs,” hairyfeet admitted. “The zero-days that can do the most damage are simply worth more money than what these companies are offering.”

‘It Would Be a Better Product Today’

Last but not least, “they should have open sourced Windows, the OS, and kept only the office and connectivity software,” Google+ blogger Alessandro Ebersol began, “but no, they wanted to keep their power over the platform.

“Well, all those mistakes charge their toll today,” Ebersol went on. “The consumer got so fed up with the two big brands (Microsoft and Apple) that they decided to follow a third way: tablets and smartphones, where those companies are not so powerful.”

The move would not have be necessary “had they done the right thing years and years ago,” Ebersol concluded. “If the Windows operating system had been detached from Microsoft, it probably would be a better product today, and all this bug hunt would not be needed.”