The offer is limit to bugs that are not already known to Microsoft or their partners, and they are not disclosing what these bugs are, and they are making no claim to have fixed them. I made a submission to Intel and others weeks after some were claiming to have mitigated this with small reductions in timer resolution, showing that the timer mitigation would not stop these vulnerabilities, no one would pay out, said they were already aware of it, have they informed the public, have they withdrawn their product, have their transitioned their user base to safer products??? No one is going to hand over their well documented exploits under such terms. Let them offer twice the reward for public disclosures of issues that they already know and have not fixed or not warned the public about, and then we might take their offer seriously.
I don't understand the disincentive you're describing. Unless you believe that Intel or Microsoft would lie about already knowing about a vulnerability --- which is extremely dumb, given how minimal the expense is, and how much publicity you'd immediately generate by going public --- then what's the risk?
> I [showed] that the timer mitigation would not stop these vulnerabilities
Yes, that was obvious to people with some background in this class of attacks. Good on you for figuring that out independently (seriously!), but you're not going to get a bounty for something widely known.
I've heard similar frustrations from bug-hunters before. I don't know enough to side with anyone, but it would be nice if there were some kind of oversight body for this sort of thing, an independent third party that offered some consistency in the experience.
If I had the choice I would take 250k$ non-sketchy money from MS over any amount of xxx sketchy money from any other company. Yes, youcould get a lotmore money insome cases but MS will be the easiest way to get it.
Bug bounties are good but they wouldn't have prevented Spectre-Meltdown. The only way to prevent such a fiasco is for the bugs to never exist in the first place. The only difference bounties make is that hopefully vendors patch the issue before it becomes widely exploited. In the case of S/M, vendors got many months of notice and it was still a fiasco - that is the nature of software bugs.
For bugs to never exist in the first place? Let me put that one in the list of obvious things like “traffic accidents shouldn’t occur”, “drowning accidents shouldn’t occur”, “heart disease shouldn’t occur”.
I’m sure I missed something. Could you help me out ?
They wouldn't have prevented the bug, but they might have prevented the size of the fiasco, if they were found earlier, before everyone switched to vulnerable CPUs.
So that they aren't paying out huge sums of money for trivial defects in fringe products. For example a userland defect in editing tools of Sharepoint is not going to be worthy of a $250,000 reward to MS.
Bug bounties are no panacea or substitute for strong security thinking across different product stages and departments. We had Spectre and Meltdown due to the industry shortcoming in this regard, not because we didn’t conduct enough bug bounties.
I hope that as time goes on we find the open source approach to crowdsourcing bugs is actually so much more viable than bug bounties and combined with an increased need for security we find that many proprietary softwares are outmatched.
[+] [-] WebLLL|8 years ago|reply
[+] [-] tptacek|8 years ago|reply
[+] [-] JoachimSchipper|8 years ago|reply
Yes, that was obvious to people with some background in this class of attacks. Good on you for figuring that out independently (seriously!), but you're not going to get a bounty for something widely known.
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] c3534l|8 years ago|reply
[+] [-] ISL|8 years ago|reply
[+] [-] Grollicus|8 years ago|reply
250k is a huge bug bounty. It's a step in the right direction.
[+] [-] Waterluvian|8 years ago|reply
When I reward you for finding my wallet I don't give you the entire contents of it, even though I would have lost that much money.
[+] [-] yoodenvranx|8 years ago|reply
[+] [-] electrograv|8 years ago|reply
[+] [-] GoToRO|8 years ago|reply
[+] [-] davidkopf|8 years ago|reply
[+] [-] mastax|8 years ago|reply
[+] [-] whb07|8 years ago|reply
I’m sure I missed something. Could you help me out ?
[+] [-] icebraining|8 years ago|reply
[+] [-] the8472|8 years ago|reply
I wonder what the rationale is for that narrow scope. Is it just that there aren't that many potential sources of side-channels?
[+] [-] austincheney|8 years ago|reply
[+] [-] mtmail|8 years ago|reply
[+] [-] sytse|8 years ago|reply
[+] [-] DyslexicAtheist|8 years ago|reply
- https://www.linkedin.com/pulse/bug-bounty-when-auctioning-of...
[+] [-] trisimix|8 years ago|reply
[+] [-] amelius|8 years ago|reply
[+] [-] rejectedalot|8 years ago|reply
It includes an implementation of the exploit in a few lines of javascript.
[+] [-] IncRnd|8 years ago|reply
[+] [-] unknown|8 years ago|reply
[deleted]