Sign in with
Sign up | Sign in

Microsoft: We're not Paying for Bug Bounties

By - Source: Tom's Hardware US | B 33 comments

Individual researchers don't want to report security flaws because Microsoft doesn't reward their efforts with money.

Last week Mozilla announced that it was raising its "bug bounty" to $3,000--that is, the company is now paying researchers three Grover Cleveland bills for digging up security flaws found in Firefox, Thunderbird, Firefox Mobile, and other Mozilla-based software. Four days later Google revealed a similar bounty, but upped the ante with a slightly larger $3,133.7 (get it?) bounty.

As for Microsoft? They're not paying a dime. "We value the researcher ecosystem, and show that in a variety of ways, but we don’t think paying a per-vuln bounty is the best way," said Microsoft's Jerry Bryant said in an email. "Especially when across the researcher community the motivations aren’t always financial. It is well-known that we acknowledge researcher’s contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update."

He added that although the company doesn't provide a monetary reward on a per-bug basis, Microsoft does recognize honor and talent--traits that could land you a job at Microsoft. "We’ve had several influential folks from the researcher community join our security teams as Microsoft employees," he said. "We’ve also entered into contracts directly with many vendors and sometimes individual researchers to test our products for vulnerabilities before they’re released. Many of these vendors and individuals first came to our attention based on the high-quality and unique approaches demonstrated by the vulnerabilities they reported to the MSRC."

Apparently Microsoft isn't the only company stingy with the cash, as both Adobe and Apple do not pay for bugs discovered by outsiders. The big three typically dump their resources into the "boutique consultancies" as payment for digging up security flaws, leaving nothing for the outsides. For this reason, many individual researchers have been encouraging peers to stop reporting vulnerabilities found on their own time.

Discuss
Ask a Category Expert

Create a new thread in the News comments forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
Top Comments
  • 24 Hide
    azconnie , July 23, 2010 7:13 PM
    So the KIN can take 240Mil from XBOX, but MS can't spend a cen't on improving security? I would say more... but this would become a 3 page rant.
  • 18 Hide
    sliem , July 23, 2010 7:21 PM
    Because it would cost them millions due to overwhelming bugs found :) .
    No, I like Windows 7, I'm just saying nobody's perfect.
Other Comments
  • 24 Hide
    azconnie , July 23, 2010 7:13 PM
    So the KIN can take 240Mil from XBOX, but MS can't spend a cen't on improving security? I would say more... but this would become a 3 page rant.
  • Display all 33 comments.
  • 4 Hide
    seraphimcaduto , July 23, 2010 7:21 PM
    too big to fail?
  • 18 Hide
    sliem , July 23, 2010 7:21 PM
    Because it would cost them millions due to overwhelming bugs found :) .
    No, I like Windows 7, I'm just saying nobody's perfect.
  • 7 Hide
    SirGCal , July 23, 2010 7:22 PM
    Heh, if MS had to pay for each bug reported, they'd probably go bankrupt...

    But serious, all kidding aside, they are just stingy.. I mean look at their history. That's entirely what they have always been (among other things)... It won't change. They think they're above everything else and just do their own thing... I agree with connie; if I started, this rant would go on and on and...
  • 8 Hide
    lespy , July 23, 2010 7:23 PM
    Microsoft probably has a whole team of fully staffed security experts, why would it want to pay more for what there already doing. as for being cheap, personally i would much rather be taught to fish rather then being given one.
  • 5 Hide
    jhansonxi , July 23, 2010 7:30 PM
    lespyMicrosoft probably has a whole team of fully staffed security experts, why would it want to pay more for what there already doing. as for being cheap


    Obviously the history of security problems shows that they are not enough. Real-world security requires real-world exposure outside of the lab where fools are in abundance and have direct access to the system the software is on.
  • 1 Hide
    tapnick , July 23, 2010 7:31 PM
    Why pay for single finds when you can just hire the right people to find them.
  • 3 Hide
    sneaky jedi , July 23, 2010 8:05 PM
    whatever, it's their prerogative, I don't think it really matters one way or the other
  • 1 Hide
    buddhav1 , July 23, 2010 8:10 PM
    debugging a web browser is a lot less expensive for Google or Mozilla than debugging an OS from Microsoft. of course they're not paying 3 grand a pop, it'd cost them billions.
  • 0 Hide
    rohitbaran , July 23, 2010 8:17 PM
    Well, one more reason to hate MS and Apple.
  • -1 Hide
    rohitbaran , July 23, 2010 8:18 PM
    Though I admit that I use Windows for I am too naive for Linux.
  • 1 Hide
    Anonymous , July 23, 2010 8:25 PM
    There is money in finding bugs, even if you don't get the money directly from Microsoft or Apple and the information is still provided to the vendor giving them a chance to patch up the hole.
    This is an interesting read http://www.forbes.com/2010/07/14/apple-microsoft-security-technology-wu-shi.html
  • 0 Hide
    formin , July 23, 2010 8:37 PM
    ms is a cheap mofo
  • -6 Hide
    antilycus , July 23, 2010 9:14 PM
    ADOBE needs to burn FLASH. It has succesfully frozen 4 out of 4 computers with NO FIX ANYWHERE IN SITE. I've tried beta's, new display drivers, new versions, old versions, etc. FLASH is crap. Every single flash ad and flash video flashes both of my screens. and stops playing video. If you close the browser you get an instant lock up(mouse freeze and everything) requiring a hard boot. I've been tyring ot resolve this issue for 5 weeks now. Since 10.0.42 was updated. Too bad going back to the older version didn't resolve the problem either.

    IF I were MS I wouldnt pay either. but ADOBE needs to because they are on the verge of losing every Flash customer on the planet.
  • 1 Hide
    pojih , July 23, 2010 10:05 PM
    I can see why it would be nice for Microsoft to pay - but you guys all calling Microsoft 'cheap' seem to misunderstand how businesses work.

  • -2 Hide
    JOSHSKORN , July 24, 2010 12:25 AM
    Why not outsource Windows to Turkey? Isn't that where most of the hacking comes from? Somewhere in Europe?
  • 1 Hide
    kikireeki , July 24, 2010 1:01 AM
    I do appreciate Mozilla's dedication, but that is too much money to give away!
  • 1 Hide
    croc , July 24, 2010 3:44 AM
    Hmm... If I were MS, I wouldn't pay either. Their own security team, coupled with some of the major outside security firms that do their own testing for flaws serve them well enough methinks. Sans, CERT, Secunia and others do quite a bit of bug testing, and most will advise MS if a flaw is found.

    Keep in mind that developing a patch, and doing the required testing prior to release may take a month for a simple patch, or two months for a complex patch.
  • -3 Hide
    f-14 , July 24, 2010 3:56 AM
    Microsoft's Jerry Bryant said in an email.... the company doesn't provide a monetary reward on a per-bug basis, Microsoft does recognize honor and talent--traits that could land you a job at Microsoft...Many of these vendors and individuals first came to our attention based on the high-quality and unique approaches demonstrated by the vulnerabilities they reported.
    yes offering them full time employment to shut them up.... if only these poor fools would prove the folly to microsoft for not taking them up on their offer, these guys could just as easily auction off the security flaw to internet theives on ebay for alot more if it really compromises security in such a bad way to allow them to exploit something worth their time and money to attack systems every where.

    best way to beat a criminal is to think like a criminal, getting your bank account and pin # is not likely or probable, how ever obtaining routing information and personably identifying information is. black mailing the victim with a threat to revealing that information to others works just as easily if some poor fool is getting an affair on at ashleymadison.com and doesn't want his wife to find out and divorce him along with 1/2 of what ever they own! i'm sure there's lots of better ways to exploit thing, this was just a fast easy way to set and example.
  • 0 Hide
    dEAne , July 24, 2010 5:30 AM
    There are lots to say about Windows past and present but failures are needed to perfect the "software".
Display more comments