Watch, Follow, &
Connect with Us

For forums, blogs and more please visit our
Developer Tools Community.


Welcome, Guest
Guest Settings
Help

Thread: Microsoft Bounty Programs Expansion


This question is not answered. Helpful answers available: 2. Correct answers available: 1.


Permlink Replies: 8 - Last Post: Oct 22, 2015 10:26 AM Last Post By: Markus Humm
Ilya S

Posts: 21
Registered: 1/8/10
Microsoft Bounty Programs Expansion  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 21, 2015 1:16 AM
With Microsoft expanding Bounty program http://blogs.technet.com/b/msrc/archive/2015/10/20/microsoft-bounty-programs-expansion-net-core-and-asp-net-beta-bounty.aspx on to .NET Core and ASP.NET Beta will or will not Embarcadero/Idera introduce similar program for RAD Studio?
Raul Sinimae

Posts: 92
Registered: 5/8/08
Re: Microsoft Bounty Programs Expansion  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 21, 2015 6:33 AM   in response to: Ilya S in response to: Ilya S
Ilya S wrote:
With Microsoft expanding Bounty program http://blogs.technet.com/b/msrc/archive/2015/10/20/microsoft-bounty-programs-expansion-net-core-and-asp-net-beta-bounty.aspx on to .NET Core and ASP.NET Beta will or will not Embarcadero/Idera introduce similar program for RAD Studio?

There is a similar program - works bit differently though. Term is 1 year and you get bug fixes approx twice a year. The main difference is that it's a "pay in" program and they call it Update Subscription :-)

On a more serious note it would be interesting if they introduced one on a trial bases with non-trivial payouts - if for no other reason then just to see if it would result in people spending their time looking for vulnerabilities (with richer targets out there in terms of other companies and technologies).

Microsoft offering appears to be for their "web facing" product only as well so very narrow focus for them also (i.e. CoreCRL AND Asp.Net together).

Raul
david hoke

Posts: 616
Registered: 2/9/07
Re: Microsoft Bounty Programs Expansion  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 21, 2015 6:52 AM   in response to: Raul Sinimae in response to: Raul Sinimae
Raul Sinimae wrote:

On a more serious note it would be interesting if they introduced one
on a trial bases with non-trivial payouts - if for no other reason
then just to see if it would result in people spending their time
looking for vulnerabilities (with richer targets out there in terms
of other companies and technologies).

I didn't look at that program link, but...

My guess is that this sort of program would not really directly benefit
them, other than possibly making a few 'winning' individuals happy.

I think they probably have a plethora of problems to work on and do not
have the resources (dont know about the inclination) to address them
all.
Raul Sinimae

Posts: 92
Registered: 5/8/08
Re: Microsoft Bounty Programs Expansion  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 21, 2015 11:46 AM   in response to: david hoke in response to: david hoke
david hoke wrote:
My guess is that this sort of program would not really directly benefit
them, other than possibly making a few 'winning' individuals happy.

If you're referring to Embarcadero then i'm not so sure. Bounty itself would be just another checklist item and obviously does in no way prove that there are no vulnerabilities - having some of these bounties paid out though (and fixed) would show a proactive approach (and part of security strategy).

With IoT push and things from Datasnap to EMS etc. there better be a good security story coming at some point indication the yare serious about this.

I know with our customers they have a reasonable grasp of risk factors of a well-known solution (microsoft, linux, apache, etc) but delphi bit always brings out the long security questionnaire and audit.

Raul
Ilya S

Posts: 21
Registered: 1/8/10
Re: Microsoft Bounty Programs Expansion  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 21, 2015 12:40 PM   in response to: Raul Sinimae in response to: Raul Sinimae
Raul Sinimae wrote:
Ilya S wrote:
With Microsoft expanding Bounty program http://blogs.technet.com/b/msrc/archive/2015/10/20/microsoft-bounty-programs-expansion-net-core-and-asp-net-beta-bounty.aspx on to .NET Core and ASP.NET Beta will or will not Embarcadero/Idera introduce similar program for RAD Studio?

There is a similar program - works bit differently though. Term is 1 year and you get bug fixes approx twice a year. The main difference is that it's a "pay in" program and they call it Update Subscription :-)

Humour taken :)

On a more serious note it would be interesting if they introduced one on a trial bases with non-trivial payouts - if for no other reason then just to see if it would result in people spending their time looking for vulnerabilities (with richer targets out there in terms of other companies and technologies).

Microsoft offering appears to be for their "web facing" product only as well so very narrow focus for them also (i.e. CoreCRL AND Asp.Net together).

Microsoft expands the program to more products of theirs. You really haven't heard about it, have you?
https://technet.microsoft.com/en-us/security/dn469163.aspx - Roster of Fame ;)
Yes, it is not about searching for bugs in Visual Studio, there is Microsoft connect for this and other products.
Raul Sinimae

Posts: 92
Registered: 5/8/08
Re: Microsoft Bounty Programs Expansion  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 21, 2015 1:44 PM   in response to: Ilya S in response to: Ilya S
Ilya S wrote:
Microsoft expands the program to more products of theirs. You really haven't heard about it, have you?
https://technet.microsoft.com/en-us/security/dn469163.aspx - Roster of Fame ;)

I have and those bounties are all for web facing tech.

CoreCLR and ASP.NET 5 as well as Online services (O365,Azure) are all in areas where they face strong competition both from open source and from the likes of Amazon AWS etc. One remaining one is OS mitigation bypass which again high value for them and is foundation where all the other stuff runs including asp.net).

Embarcadero equivalent of this would be Datasnap (and EMS) bounty and nothing else really.

I very much believe they are doing this for business reasons to ensure they don't lose too much ground in the web side of things

Raul

Edited by: Raul Sinimae on Oct 21, 2015 1:44 PM
Mike Margerum

Posts: 590
Registered: 12/1/99
Re: Microsoft Bounty Programs Expansion [Edit]  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 22, 2015 5:54 AM   in response to: Raul Sinimae in response to: Raul Sinimae

I very much believe they are doing this for business reasons to ensure they don't lose too much ground in the web side of things

m$ has been doing this for 15 years and this is why no one build native
apps anymore.

Stupid of them to ignore the desktop app market and the lock in that
comes with it.

I'm generalizing of course but no one uses .net to build desktop apps.
Nick Hodges

Posts: 2,414
Registered: 9/22/99
Re: Microsoft Bounty Programs Expansion [Edit]  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 22, 2015 6:31 AM   in response to: Mike Margerum in response to: Mike Margerum
Mike Margerum wrote:

I'm generalizing of course but no one uses .net to build desktop apps.

I can concur with that. We went to the two day Philly Code Camp a week
or two ago, and there wasn't a single talk on building desktop apps.
It was all ASP.NET and Javascript.

--
Nick
Delphi Programming is Fun
Markus Humm

Posts: 5,113
Registered: 11/9/03
Re: Microsoft Bounty Programs Expansion [Edit]  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 22, 2015 10:26 AM   in response to: Mike Margerum in response to: Mike Margerum
Am 22.10.2015 um 14:54 schrieb Mike Margerum:

I very much believe they are doing this for business reasons to ensure they don't lose too much ground in the web side of things

m$ has been doing this for 15 years and this is why no one build native
apps anymore.

Stupid of them to ignore the desktop app market and the lock in that
comes with it.

I'm generalizing of course but no one uses .net to build desktop apps.

I was beta tester of a small vb.net desktop app this year. I even
sponsored the developper an icon. He had used the default blank sheet
one from VS.

Greetings

Markus
Legend
Helpful Answer (5 pts)
Correct Answer (10 pts)

Server Response from: ETNAJIVE02