Microsoft: We're not Paying for Bug Bounties
Individual researchers don't want to report security flaws because Microsoft doesn't reward their efforts with money.
Last week Mozilla announced that it was raising its "bug bounty" to $3,000--that is, the company is now paying researchers three Grover Cleveland bills for digging up security flaws found in Firefox, Thunderbird, Firefox Mobile, and other Mozilla-based software. Four days later Google revealed a similar bounty, but upped the ante with a slightly larger $3,133.7 (get it?) bounty.
As for Microsoft? They're not paying a dime. "We value the researcher ecosystem, and show that in a variety of ways, but we don’t think paying a per-vuln bounty is the best way," said Microsoft's Jerry Bryant said in an email. "Especially when across the researcher community the motivations aren’t always financial. It is well-known that we acknowledge researcher’s contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update."
He added that although the company doesn't provide a monetary reward on a per-bug basis, Microsoft does recognize honor and talent--traits that could land you a job at Microsoft. "We’ve had several influential folks from the researcher community join our security teams as Microsoft employees," he said. "We’ve also entered into contracts directly with many vendors and sometimes individual researchers to test our products for vulnerabilities before they’re released. Many of these vendors and individuals first came to our attention based on the high-quality and unique approaches demonstrated by the vulnerabilities they reported to the MSRC."
Apparently Microsoft isn't the only company stingy with the cash, as both Adobe and Apple do not pay for bugs discovered by outsiders. The big three typically dump their resources into the "boutique consultancies" as payment for digging up security flaws, leaving nothing for the outsides. For this reason, many individual researchers have been encouraging peers to stop reporting vulnerabilities found on their own time.
- Dell Shipped Server Motherboards With Spyware
- StarCraft II: Ghosts of the Past Trailer
- Microsoft Confident That $150 is Right for Kinect
- Microsoft Has a New Tagline: "Be What's Next"
- Apple is the Leader in Admitting Software Bugs
- Sharkoon's "Golf Ball" Inspired Case-Fan
- Deals for July 22: Pre-order Starcraft II at $44.99
- Can World of Warcraft Boost Your Career?
- Intel to Settle With FTC (Upd: But Not This Week!)
- Samsung UK Giving Free Galaxy S Android Phones to Unhappy iPhone 4 Users
- Microsoft Still Making More $$$ Than Apple
- Sony Develops Powerful Laser for 1TB Optical Disc
- Motorola Android Tablet Possible in Q4 2010
- Microsoft's High-Tech Crusade Against Piracy
- Nvidia GeForce GTS 450 PCB Blueprint Leaked?
- Warhammer 40K: Space Marine Announced for PC
- Deals for July 26: Hot Tamales Candy Pack for $0
- Half-Life 2: Beyond Black Mesa Fan Made Trailer
So the KIN can take 240Mil from XBOX, but MS can't spend a cen't on improving security? I would say more... but this would become a 3 page rant.
too big to fail?
Because it would cost them millions due to overwhelming bugs found
.
No, I like Windows 7, I'm just saying nobody's perfect.
Heh, if MS had to pay for each bug reported, they'd probably go bankrupt...
But serious, all kidding aside, they are just stingy.. I mean look at their history. That's entirely what they have always been (among other things)... It won't change. They think they're above everything else and just do their own thing... I agree with connie; if I started, this rant would go on and on and...
Microsoft probably has a whole team of fully staffed security experts, why would it want to pay more for what there already doing. as for being cheap, personally i would much rather be taught to fish rather then being given one.
Microsoft probably has a whole team of fully staffed security experts, why would it want to pay more for what there already doing. as for being cheap
Obviously the history of security problems shows that they are not enough. Real-world security requires real-world exposure outside of the lab where fools are in abundance and have direct access to the system the software is on.
Why pay for single finds when you can just hire the right people to find them.
whatever, it's their prerogative, I don't think it really matters one way or the other
debugging a web browser is a lot less expensive for Google or Mozilla than debugging an OS from Microsoft. of course they're not paying 3 grand a pop, it'd cost them billions.
Well, one more reason to hate MS and Apple.
Though I admit that I use Windows for I am too naive for Linux.
There is money in finding bugs, even if you don't get the money directly from Microsoft or Apple and the information is still provided to the vendor giving them a chance to patch up the hole.
This is an interesting read http://www.forbes.com/2010/07/14/a [...] u-shi.html
ms is a cheap mofo
ADOBE needs to burn FLASH. It has succesfully frozen 4 out of 4 computers with NO FIX ANYWHERE IN SITE. I've tried beta's, new display drivers, new versions, old versions, etc. FLASH is crap. Every single flash ad and flash video flashes both of my screens. and stops playing video. If you close the browser you get an instant lock up(mouse freeze and everything) requiring a hard boot. I've been tyring ot resolve this issue for 5 weeks now. Since 10.0.42 was updated. Too bad going back to the older version didn't resolve the problem either.
IF I were MS I wouldnt pay either. but ADOBE needs to because they are on the verge of losing every Flash customer on the planet.
I can see why it would be nice for Microsoft to pay - but you guys all calling Microsoft 'cheap' seem to misunderstand how businesses work.
Why not outsource Windows to Turkey? Isn't that where most of the hacking comes from? Somewhere in Europe?
I do appreciate Mozilla's dedication, but that is too much money to give away!
Hmm... If I were MS, I wouldn't pay either. Their own security team, coupled with some of the major outside security firms that do their own testing for flaws serve them well enough methinks. Sans, CERT, Secunia and others do quite a bit of bug testing, and most will advise MS if a flaw is found.
Keep in mind that developing a patch, and doing the required testing prior to release may take a month for a simple patch, or two months for a complex patch.
Microsoft's Jerry Bryant said in an email.... the company doesn't provide a monetary reward on a per-bug basis, Microsoft does recognize honor and talent--traits that could land you a job at Microsoft...Many of these vendors and individuals first came to our attention based on the high-quality and unique approaches demonstrated by the vulnerabilities they reported.
yes offering them full time employment to shut them up.... if only these poor fools would prove the folly to microsoft for not taking them up on their offer, these guys could just as easily auction off the security flaw to internet theives on ebay for alot more if it really compromises security in such a bad way to allow them to exploit something worth their time and money to attack systems every where.
best way to beat a criminal is to think like a criminal, getting your bank account and pin # is not likely or probable, how ever obtaining routing information and personably identifying information is. black mailing the victim with a threat to revealing that information to others works just as easily if some poor fool is getting an affair on at ashleymadison.com and doesn't want his wife to find out and divorce him along with 1/2 of what ever they own! i'm sure there's lots of better ways to exploit thing, this was just a fast easy way to set and example.
There are lots to say about Windows past and present but failures are needed to perfect the "software".
Oh well, then maybe a few of these "experts" Microsoft claims it has snatched up can earn a quick buck on the side helping make Mozilla even better than micro$ garbage.
Because it would cost them millions due to overwhelming bugs found .No, I like Windows 7, I'm just saying nobody's perfect.
The vast majority of security flaws in Windows 7 come from 3rd party programs (mainly those made by garbage companies like Adobe)
So the KIN can take 240Mil from XBOX, but MS can't spend a cen't on improving security? I would say more... but this would become a 3 page rant.
They spend plenty of cents on improving security, that's what the security team at microsoft is for. they pay their internal people to do their job. start paying random people off the street and then these people with legitimate taxpaying jobs will be laid off.
Why should MS pay for someone outside the company to find bugs that is why they employ people to do that. If google & firecrotch want to pay then let them & in a year we will see who is about to go out of business because they spent to much money this way. Ok so saying google would go out of business is a bit much but firecrotch sure the heck can not do it for very long & yes there are many many bugs in firefox to fix. Yes I use firefox myself but it crashes just like any other software.
I find this silly. If you want to improve security crowdsourcing the flaws is a must - that's how open source community does it, and they do it quite well. You really should take a page from them, MS.
yeah I get it, 1337, leet
I think anyone who finds a critical bug should be rewarded somehow, at least with recognition from MS, since their team didn't catch it first.
I guess that's why counterfeiters/pirates are saying
Im not paying 200 $ for a buggy / full of flawed software
Food for though M$ucks
ADOBE needs to burn FLASH. It has succesfully frozen 4 out of 4 computers with NO FIX ANYWHERE IN SITE. I've tried beta's, new display drivers, new versions, old versions, etc. FLASH is crap. Every single flash ad and flash video flashes both of my screens. and stops playing video. If you close the browser you get an instant lock up(mouse freeze and everything) requiring a hard boot. I've been tyring ot resolve this issue for 5 weeks now. Since 10.0.42 was updated. Too bad going back to the older version didn't resolve the problem either. IF I were MS I wouldnt pay either. but ADOBE needs to because they are on the verge of losing every Flash customer on the planet.
For some reason, Flash is sensitive to memory that is overclocked to the limit. At least that was the fix in my case, when nothing video or otherwise helped; I eased off of my memory settings. (Wasn't pleased, but it worked.) Hope this helps.
ADOBE needs to burn FLASH. It has succesfully frozen 4 out of 4 computers with NO FIX ANYWHERE IN SITE. I've tried beta's, new display drivers, new versions, old versions, etc. FLASH is crap. Every single flash ad and flash video flashes both of my screens. and stops playing video. If you close the browser you get an instant lock up(mouse freeze and everything) requiring a hard boot. I've been tyring ot resolve this issue for 5 weeks now. Since 10.0.42 was updated. Too bad going back to the older version didn't resolve the problem either. IF I were MS I wouldnt pay either. but ADOBE needs to because they are on the verge of losing every Flash customer on the planet.
you are an idiot
losing every flash customer on the planet ?
search google for flash games; there are 100's of sties out there that host flash games
flash isn't going anywhere, moron
Sure they have their own security specialists but if it was not for other researchers leaking vulnerabilities they would not get fixed.
There was 2 very large security holes that other security experts kept telling microsoft that it was being exploited in the wild yet microsoft took 14 years to fix the problem? that is a little too long.
If it was not for other researchers pointing out these flaws windows would be even worse but trying to do it on your own does not work, most of the largest security holes were pointed out by independent security specialists but they were getting this info for free so they think why should they pay for something they were getting for free anyways?.