Hello!

The Microsoft Security Response Center investigates all reports of security vulnerabilities sent to us that affect Microsoft products – this includes all of Microsoft online web properties such as *.microsoft.com, *.msn.com and *.live.com to name a few.

If you believe you have found a security vulnerability affecting a Microsoft product or online web property, we would like to work with you to investigate it.

We are concerned that people might not know the best way to report security vulnerabilities to Microsoft. You can contact the Microsoft Security Response Center to report a vulnerability by emailing secure@microsoft.com directly. We answer every mail on a reported issue with 24-hours (and it's not an auto-responder).

We also encourage users to visit [www.microsoft.com] where you can obtain our PGP Key and S/MIME certificate to ensure you provide adequate protection for the sensitive information you send us.

Sincerely,
The folks at the Microsoft Security Response Center

Thanks for taking the time to post the relevant details needed to contact you.

Also, may i suggest that MS step up its effort and perhaps even look at the way in which vulnerabilities (at least within your domains) are dealt with. I mean atm i am aware of at least two web based vulnerabilities within your control that are currently being exploited (not by me) and will not be reported. why? becuase the value of the data being stolen is more then a friendly thank you email.

And here in lies the problem with vendor notification. 10 times out of 10, the submitter will get nothing, and by this i mean nothing in the terms of a financial gain, either we get no reply, the threat of legal action or a quick thank you.

Therefore i propose MS implement a reward system where you agree to pay cash for vulnerabilities found within your domains. The benefit of this i suggest would be flood of vulnerabilities reported the first few months which would tapper off to only 1 or 2 intermittently as new systems come online.

The cost of this type of project would be relatively low and if you placed a sliding scale on amount paid (based on the vun) I'm sure you could get away with it for less then 20-50k all told... which in the big scheme of things is a drop in ocean for MS.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

"Therefore i propose MS implement a reward system where you agree to pay cash for vulnerabilities found within your domains. The benefit of this i suggest would be flood of vulnerabilities reported the first few months which would tapper off to only 1 or 2 intermittently as new systems come online."

Why I don't disagree that a bit of monetary compensation would be quite well received I think it goes against the full disclosure policy as it could fall under extortion.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
[www.awesomeandrew.net]

@Andrew

Extortion is making threats, there are no threats here, its just the buying and selling of information, if microsoft doesn't want to buy it I'm sure someone else will.

Good and valid point. I had actually been thinking more toward an overzealous person demanding a large sum of money like those two queers from New York who just got prosecuted for trying to extort $150,000 from MySpace over a weak XSS bug they claimed to have found, and exploited.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
[www.awesomeandrew.net]

I think it's great news that Microsoft is posting, personally. The more people we get aware of the issue and the more the big companies agree to work with the people doing the research the more I think we will be able to show the smaller companies the correct path to securing their own sites.

I, for one, embrace working with big companies, and reserve full-disclosure to making a point or when all else fails. If a company is open and willing to work with us, I think we should take them up on that offer if it's as simple as MS has made it for us.

- RSnake
Gotta love it. http://ha.ckers.org

RSnake: yes.

I wonder if Microsoft is now extra concerned over web application attacks against their own infrastructure (note that this post they sent was about their infrastructure, not their products/solutions) lately because of this incident: [blogs.securiteam.com]

I can't comment one way or another, but I don't think any one issue has made Microsoft more willing, but rather an aggregate of many issues over the last 10-15 years and their own desire to help their consumers. That would be my guess, at least.

- RSnake
Gotta love it. http://ha.ckers.org

@kuzza55 - I would have to disagree that extortion is "making threats". Verbal threats are one thing, but by implying that if MS doesn't purchase the information then you'll sell it to another party, say a chinese hacker group for example, is still a form of extortion. Realistically, a company would want to protect its assets rather then have vulnerability information sold to a third party who would attempt to harm the company with the information purchased.



Edited 1 time(s). Last edit at 03/02/2007 01:25PM by Mephisto.

Hi folks at the Microsoft Security Response Center,

when will following issue be fixed?
[sla.ckers.org]

And according some friendly donations (see digi7al64's comment above), I'm sure RSnake will forward it to me for some additional gifts :-))

Come on, fulfill your statements (see your posting), you're 3 weeks late now ...

... they just want some geeks to audit their homepage in order not having to spend any money on websecurity.

You are able to sell these issues for large $$$ in the underground, but if you send them directly to Microsoft they will fix it and some low-ranking worker will say "thank you" for your work. Great.

@Mephisto:

Well, as I see it most western countries are free market economies, and I would just be selling information. If you think of security researchers as external independent R&D labs who can sell their findings to the highest bidder, its just a manifestation of that economy.

But even if it is ethically questionable; as long as its not illegal I think security researchers should start charging for their findings.



Edited 1 time(s). Last edit at 03/02/2007 07:21PM by kuza55.

@kuza55 - I agree that you would just be selling information, but in today's world "information" can also be construed as "intellectual property".

I think it is selling information for sure.

When you install Norton AntiVirus you don't agree to "send them a polite thank you note each time they update your computer with patches for expoits"... You agree to pay them a yearly fee to protect your computer.

It shouldn't be any different on the web, if I find an exploit, I should get something for it.

I don't think I should get to name the price, you would obviously get more extortion-type situations that way, but more valuable exploits do worse damage, and should be worth more.

-bubbles
[webmastertutorials.net]

> .. "information" can also be construed as "intellectual property".

haha, very good point: we have the copyright on each finding, and or the trademark, so we have to be payed for that when using the exploits for tests or whatever ...
free market economy strikes back ;-)

Definitely not extortion.

I agree with alf on this.

To chime in on the debate some more. Vulnerability researchers such as myself spend a lot of time finding these holes and then reporting them via full disclosure. Out of experience I know not to contact the site affected directly as it will always be more hassle then it is worth.

And herein lies the problem. I don't have the financial resources to search full time for vulnerabilities and therefore need to work. But... if i was to say get some type of monetary compensation for my time then i could possible quit my job and spend those hours searching for vulnerabilities and as a result, help to make a great number of popular websites more safer.

Criminals on the other hand, do have the time and money to search for the vulnerabilities because when the find them, they expoilt them in order to obtain profit. So as you can see, until people start getting paid for reporting vulnerabilities, the number of actual holes found and reported will continue to be outweighed by the number of vulnerabilities found, exploited and not reported.

Hence, until we are rewarded for reporting vulnerabilities, users of sites such as myspace, google, ebay, paypal, yahoo, msn, facebook and pretty much any other highly frequented site should consider themselves and any data they choose to place on this sites free game and in the public arena.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

I got a few on file, and they ain't getting nothin' from me. Sure I would be happy to file some to them, but first they need to unblock my IP. How else can I find flaws my friend? ^^

You they have been stopped to think, if they get to solve all the holes of security, the one of indirect works that could be lost?

Their errors, give many jobs nowadays, like the one of technician of systems, for example, thousands of experts who only dedicate themselves to update Windows when this fault.

I believe that all that bond but that a simple message, or the money that could pay by a vulnerability.

On the other hand, we accepted donations of the foundation Bill Gates to Third World Countries. What one has occurred until the moment we think that it is little.

I animate, to follow small thus!

Kindly,
Javico
[www.vicosoft.org]

I found it quite difficult to understand that last reply =[.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
[www.awesomeandrew.net]

Same here, normally I would have it with you AnDrEw, but thats not your fault typing on a wii ^^

Just Joking!



Edited 1 time(s). Last edit at 03/06/2007 01:17PM by jungsonn.

jungsonn Wrote:
-------------------------------------------------------
> I got a few on file, and they ain't getting
> nothin' from me. Sure I would be happy to file
> some to them, but first they need to unblock my
> IP. How else can I find flaws my friend? ^^

they specifically blocked your IP? some may consider that an honour, lol

Yup: [www.jungsonnstudios.com]


Screenie:

Wow... now there's a first!

- RSnake
Gotta love it. http://ha.ckers.org

Actually, the obviously bad thing is not that it can be circumvented, but rather than you can force other people to perform those attacks and get them blocked. Individual users is no big deal but think about the AOL super proxies? That could block 20k people or more in a single IP.

- RSnake
Gotta love it. http://ha.ckers.org

now THAT is something they should be really worried about...

Manager: "Just block the offending IP address..."
Network Admin: "What if the IP is spoofed and is the..."
Manager: "Just block it!"

Decisions are easy, until logic is introduced.

doesn't even have to be spoofed, I used to have a collection of AOL cds, not sure what happened to it.

-id

haha, now lets go and play ! ;-)

Would be a nice PoC if 10 of us could ban a couple of thousand users from their homepage.

No I said on certain pages they blocked me, not on the index itself. Which they should :) ah well, it doesn't make sense. it's not that I'm a XSS guru all of a sudden, I just do some other stuff which I guess they aren't happy with.