NEWS A teenager who discovered a security hole in Windows and worked with Redmond for six months to fix the problem has received his reward from the multi-billion dollar company: a mere note of thanks on its website.
19-year-old Matt Thompson from Aberdeen was newly employed with a local IT firm after leaving college when he discovered the security hole in the Jet Database Engine - which if exploited would have let hackers take control of a user's PC and given virus writers reason to smile.
He stumbled across the error while working on a database project for a client and, after crashing a server, realised something was amiss.
After several calls to various helpdesks with Thompson explaining that he wasn't a domestic user with a toolbar problem but had actually found a security error that needed fixing, Microsoft took his complaints seriously.
Half a year of code-swapping and collaboration later and the problem was sorted, with Thompson being sworn to secrecy over his security sleuthing achievements.
Gates and co issued the now-customary update and let customers know, but when the dust had settled, instead of bunging the teenage boffin a few quid from the bulging Microsoft coffers for his work, the software firm took a more low-key approach to their security saviour's work.
It added his name to the list of special acknowledgements on the corporate site.
While, according to reports, Thompson is quite chuffed to have worked with the software giant, many people have been left wondering if a company that can absorb a €497m fine without breaking stride could have given the tech whizzkid a cash sum for his trouble.
Comments
There are 55 comments. Join the discussion
1. anonymous
If Microsoft were to award this young guru a sum of money for his services I think all the hackers would suddenly find a new source of income.
2. Carl maycock
Yeah but at least Microsoft would end up with a decent OS!
3. anonymous
Well apparently this kid was very smart... but not smart enough to work out a contract before working on the project.
4. Martin Brice
Thank you. I don't remember MS going to this kid and asking him to do anything. He could have stopped helping MS any time he wanted to but, this seemed like more of a pet project to him. It didn't sound like he was expecting anything from MS either...I guess it was a slow news day...
5. anonymous
Yea, Then everyone will be happy then too. hackers get money and they leave M$ alone.
6. anonymous
What is the going rate for vulnerabilities? What if hackers start charging for them? Quite a cottage industry there. Fortunately this is not the case. This type of information needs to remain free and open. In moody cases, the person who finds vulnerabilities will most benefit from the public acknowledgement that they receive.
7. Johannes Boneschanscher
If MicroSoft would pay for finding bugs in their own software, they could very well replace their own active research with a very cost effective event based type of research.
Just my two cents...
8. Jonathan Yu
Imagine thousands of hackers trying hard to find security flaws in windows, report politely, and work together with Microsoft to fix the problems.
Isn't that a good thing for Microsoft?
Well, they might have their own reasons not to encourage this.
9. anonymous
Yes, some hackers would make money, but it would mean a more secure computing environment. If Bill "security" Gates really wants to clean up his software, what better way than to pay real people to find and fix the problems? Instead, he hires some of the smartest people on the planet and turns them into morons.
10. David B. Donahue
This kid did the right thing and deserves some kind of reparation for the time involved in fixing the bug.
If it would be a source of income for hackers, then if this kind of activity is what it encurages them to do, then i'm all for it.
If all hackers quietly contacted the software manufactures and worked dilegently (like this kid) to fix the security holes, insted of exploiting them for fun/proffit, the world would be a much better place.
11. anonymous
Anything which keeps hackers gainfully occupied seems good to me, especially if Bill's paying. Perhaps Microsoft should have given the bloke a bumper bundle of programming tools: it wouldn't have cost them much and the company would get some positive publicity out of it.
12. JohnBoy
Since Microsoft has put security on it's agenda recently, I'm surprised they haven't paid this lad anything. If I found a hole in Microsoft code, reading this certainly wouldn't motivate me to get in touch with Microsoft to get the hole closed if I thought I wasn't going to be rewarded for my efforts. With this attitude, Microsoft may find people choosing to exploit these holes rather than get them closed.. my name mentioned on Microsoft.com ??? Is this the best the world's largest software company (with the world's richest man in charge) can do ?
13. The Clone
If Microsoft were to award every person who found security vulnerabilities in their products, that company would be bankrupt. That young fellow should be happy Microsoft even acknowledged him on their website.
Vulnerability fixes and discoveries should be for the good of the community, not for profit. If he wanted money then he should of contacted Microsoft as a consultant, and made up a contract.
Simple as that.
14. anonymous
There is a difference between Hackers and CyberPunks but everyone wants to call those whom write code in a non-Mac environment programmers and those whom exploit code for pranks, viruses, worms, Trojan Horses as Hackers when in fact they are not Hackers but Cyber Punks. In fact if you ever pay attention to the Macinstosh world they hold Hacking Contests for those whom can write the most original and creative code out there for programming purposes NOT to harm others programs and/or computers.
In fact this is the kind of reason why more people hate Bill Gates & CO. and are starting to switch to other platforms such as Mac OS X and the different varieties of Linux out there in this computer world. It's because Gates wants people to help out his company but won't pay them for helping out. Steve Jobs (CEO of Apple Computers) learned the hard way that you must try to treat others with respect and acknowledge their hard work with more than just a small tiny note saying thanks in a Special Acknowledgements that most people don't hardly visit.
And would it be so bad if our CyberPunks started created software for good purposes instead of evil purposes. After all if we started converting more of the bad guys into good guys then there would be less bad guys out there to worry about when we sleep at night.
15. jose
and dont you think he deserves to get some money after helping them with the Hole in the system
16. Joe Whitehead
LOL, yep. And I bet I'd have a new job. (; Come on, make a fund for rewards, ala the FBI or Interpol.
If I got paid to make MS's software secure, I'd suddenly actually be learning .NET and not NASM.
Can you imagine how many people would register W32DASM, and buy softice/sourcer/VPC? Man that would make the hackers who made those programs happy. (:
PS I still use Bill Gates' baby: MS BASIC (Though now I use QuickBASIC/PowerBASIC instead of .NET - consider it too slow).
17. Hans Neukomm
This is just another sample of the opposite of Open Source - doing it together with all users, letting fully paying customers and
users pay for your mistakes, then let fully paying customers work on your mistakes to solve them to further
increase your own profits - and share nil or as little as absolutely necessary with those who have made you rich.
With other words: Take from all pockets and put it all into one pocket. An easy way to turn professionals into other channels like
Open Source or competing companies. But may be that's what Bill wants ? Company suicide .. by turning skilled and devoted HONEST professionals away and down.
18. anonymous
gates and microsoft should be a shamed of this. Poor lad.
19. Mike
I personally don't think that he should have expected to get any sort of reward; let's face it, he's not the first to find a vulnerability and won't be the last. As far as I'm aware, no-one in the past has received anything more than a mention on the MS website - why should this guy any different?
I saw a report on TV and it seemed like it was his boss who was more upset at the lack of any real reward.
20. anonymous
I think that Microsoft have enough bugs to be getting on with, thank you very much, and the last thing they need is people popping up every day saying 'I told them about this six months ago' about bugs which are way down their fix list.
21. Julian Davis
Can't find the "special acknowledgement" anywhere in the microsoft site. Where is it then?
22. anonymous
You have to be pretty niave to think he has not been paid off. Nice sensationalist article though, slow news today ??
23. anonymous
And you'd have to be even more naive to assume any such thing. It is at least conceivable that he has not been paid off, so why is suggesting this naive? Do you know something we don't?
24. anonymous
Hey, a lot of people get tired of Microsoft's power in the industry ... but the vitriole of silicon.com against Microsoft is becoming tiresome.
25. anonymous
Good old news-worthy Micro$oft.
At least he got them to listen. Some years ago one of my team found a really easy way of capturing usernames and passwords from Outlook, and told MS in the States - they wouldn't listen, said it was impossible, and hung up.
I'd like to think this lad got something - but I doubt it.
26. Matt Thompson
Well I got a new job out of it.......
27. anonymous
Wow - I see WAY too many money-hungry cry-babies in here. This guy did what any self-respecting and honest person should do. Expecting a money reward for HELPING to fix an issue is pretty damn pathetic.
He is not, nor ever was on Microsoft's payroll. At anytime during the six months he was working with Microsoft he could have brought the issue up - but didn't obviously. That was his choice - if he had made it clear that he wanted something out of the deal Microsoft would have either agreed, or said hell no and fixed it themselves. Even if it would have taken longer - so what - they would have done it.
You don't meet a stranger on a street - help him fix his flat tire/broken down vehicle and then EXPECT a reward afterwards if nobody mentioned one up front. It's called common decency and common sense.
28. Dave B
Personally I think young Matt deserves a pat on the back, not only did he spot a hole, but gave his time and energy to help fix it. I note that it is not Matt that is complaining about not being rewarded, it is the Journo's making a big deal out of it. Well done Matt!
As an aside, there are so many posts claiming that MS software is rubbish, MS has all the power and money etc etc. Well, if these writers know so much, why don't THEY produce an O/S that is accepted worldwide and as easy to use??? Personally I think it is just jealousy. And as for the Open GL Advocates... I tried Linux on one of my machines. I even stuck it out for a few months, but eventually had the greatest of pleasure reformatting and installing proper software and O/S
Returning to topic, if there were more people like Matt out there, prepared to help rather than condemn, the world would most certainly be a better plac. Watch out for his name in the future, that is a lad with a bright futire ahead of him
29. Mick Holt
Many companies have award/reward schemes which work excellently to save the comapny money and encourage ideas. This young lad wasn't looking for remuniration, but it doesn't mean he shouldn't have got some. The bug he found could have cost MS millions, but thanks to him it didn't. Shame they couldn't have rewarded him - just think of the good PR that would have been. As for some of your negative posters, they make me wonder what company they work for, with that kind of attitude. Good efforts should be rewarded appropriately, in any company, if only as a jesture of goodwill.
30. anonymous
Matt Thompson wants to work for himself and hopefully one day HE will have a company that knocks a few dents into Bill Gates's company. Bill Gates might think he is a clever bloke who can exploit others expertise but one day it will backfire on him. Matt Thompson deserved to be paid for his efforts and his honesty. If we don't reward honesty then the crooks have won.
31. Nick Bloor
The fact that Matt Thompson can put something like that on his CV & also gets a mention on the Microsoft site is great.
I wish him all the best and encourage him to make the best use of this outcome as it would do his career the world of good in the long run.
32. anonymous
All things said, "to do good and distribute forget not for in such sacrifices the Lord is well pleased" is a quote that speaks volumes to the axiom that all rewards need not necessarily be negotiable!
33. anonymous
For all of you wonderfully narrow minded individuals, ANYONE who works in this country deserves to be paid for his work.
34. Mycroft Sow
The problem is Microsoft's inconsistent. They give a bunch of software to Mike Rowe (formerly of www.mikerowesoft.com). Didn't need to be a cash reward, they could have ponied up a free MSDN subscription or something, or a Bill Gates color-changing coffee mug or something. They're cheapskates.
35. anonymous
He's an employee for another firm. He did not do this through a discovery in his own time. If a reward were forthcoming then it would go to his employer not him unless the employer passed it on.
36. anonymous
This will only send a warning shot over the bow to others not to bother helping Microsoft, and their system will return to theold state of denial of problems, and hoping the DOJ looks the other way when every year, they *resell* the same system with a few fixes for thesame price (1980s all over again).
Doesn't pay to help Microsoft bash your skull for more oney out of your own pocet, now does it? (My ISP tried whining I should use Windows and not Linux, but funny their server got a "windows warning" that shut them down for over an hour, and I was waiting on their system...next day, it went out again, and Linux got online, but XP had to wait for the system to correct itself.)
If Gates ran US Steel or AT&T, he would have been stopped dead years ago. Worse still, it's not like he makes the superior product. Don't bash the kid for trying to help others...bash the short sighted morons at Microsoft who won't figure it out until the DOJ *finally* comes down on them with *backbone*.
37. anonymous
If mickeysoft payed a buck for every bug in windows, their coffers would likely be empty.
38. code moose
This kid could have been given something, perhaps a new computer, free software,
The kid was placed in a position of trust at Microsoft; he honored that trust and came through with "the goods" and (seemingly) has been "above board" with his actions.
They could have even awarded him a job there, or perhaps paid for some of his college?
I'm thinking if I was his "defacto-boss", I would have come up with something, even if it was out of my own pocket.
On the other side, hopefully and perhaps the kid will garner something for merely being recognized... who knows.
There's many separating factors between the character and actions of this kid and the common cracker.
39. Ann Knudson
Microsoft should have given this guy something, out of enlightened self-interest. If they did, the next person who finds a security hole would have good reason to tell them. Since people who find holes now know they'll get nothing but a pat on the back for reporting it, how many will bother? Not as many as would if there was something in it for them.
40. anonymous
Open Source software works the same way. Work on a patch for six months (ok, 3 months because there is no bureaucracy) and you will get your name on a web page.
41. karl mamer
Curiously this is exactly how a young Bill Gates got his start, finding bugs that crash a computer. But Gates was paid for it.
42. Steve Knight
So if Martin Brice lost his wallet and someone found it, but had to do a fair bit of work to trace its owner and return it to Martin, then Martin would not feel there was any reason to reward the finder on the grounds that he was not asked to return it.
43. anonymous
Open Source software works the same way. Work on a patch for six months (ok, 3 months because there is no bureaucracy) and you will get your name on a web page.
44. PFC Dennis Winningstad
Granted, if I was a PR director, I would grab a copy of XP Pro, the latest and greatest programs for programming that MS has out, and throw in a free t-shirt for kicks. But the bottom line is still a couple things that I can see:
1 - This kid doesn't seem nearly has horrified about it as his boss is making a big deal out of it.
and
2 - When in this six month period did Matt Thompson stop and think, "Gee, it might be a good idea to get a work contract with MS so I get payed for this."
I'm sorry, but this is business, and it is a dog eat dog world out there.
45. Anon
M$, it sounds to me like a quick way to turn would be patchers into hackers. If a honourable mention on your website is all the thanks one gets for possibly saving you MILLIONS, alot less people are going to be willing to help, and a lot more will look for ways to hurt you out of spite. Great Business Model!
46. Bob Schmidt
Gates is a greedy grub squabiling giant that takes for granted everything people do for him
47. Linux machine
Microsoft ain't got no good OS!
LINUX ROCKS!
48. blah
If Microcrap had any generousness then they would have given the kid something
49. anonymous
Good work deserves good pay
50. Alistair Thomas
Wow! What an emotive subject!
So many lessons, it's hard to know where to start.
It's wrong to EXPECT something from doing someone a favour.
I wouldn't compare helping a software giant with its commercial software to returning somebody's lost purse. You should do good things in life because it's the right thing to do and because if you do it with an open heart it makes you feel good.
It is right to show gratitude when someone shows you a kindness. Not everything has dollar value. It could be a smile, a handshake, a commitment to return the favour at some future date. Microsoft could have bought him a small country and it would have meant less than nothing if it wasn't sincere.
In an Ideal world, I'd have given Matt's company some financial compensation for the inconvenience of working with a product that was not fit for purpose. The reward of recognition could go a lot further. Whether Matt loves MS or just makes his living out of working their products, MS could do a lot more. They could give him a lifetime licence to their products (He'd value it even if some of the contributors here would not). Let him be part of the beta test programme. He becomes a bleeding edge expert on the latest stuff which may well thrill him or enable him to cash in his experience at every stage of his career.
I would like to think that during the 6 months that he worked with MS that someone got to know him quite well and made a gesture of gratitude that made Matt happy.
I was best pleased by Matt's own comment that he'd got a new job. Whatever the truth of all this, it's between MS and Matt. I hope Matt has a rewarding and satisfying career. He seems to have made a good start.
51. anonymous
So the lad gets a new job. I am guessing for better pay. Well done him.
His boss sounds upset. And people here are suspicious that his boss is really upset as he was paying him to work for M$.
I reckon the kid did OK and the boss might spend more time checking how his programmers are making him money.
52. Count Zero
It would be a more peaceful world if hackers earned their money this way and not releasing worms and viruses over the web. I think a reward wouldn't have been too much. Or do you prefer see the hachers blackmail MS?
53. anonymous
Just to confirm the post by "matt thompson" saying he got a new job was not him posting
54. anonymous
still doesn't stop the kid from being a loser in real life tho, trust me :)
55. anon
Suppose someone finds a hole that exposes thousands' private data and reports it immediately and no one really cares. Then they are investigated to the tune of $$$$ in attorney fees and more. Makes one think twice about doing the right thing.