Microsoft: We're not Paying for Bug Bounties
Individual researchers don't want to report security flaws because Microsoft doesn't reward their efforts with money.
Last week Mozilla announced that it was raising its "bug bounty" to $3,000--that is, the company is now paying researchers three Grover Cleveland bills for digging up security flaws found in Firefox, Thunderbird, Firefox Mobile, and other Mozilla-based software. Four days later Google revealed a similar bounty, but upped the ante with a slightly larger $3,133.7 (get it?) bounty.
As for Microsoft? They're not paying a dime. "We value the researcher ecosystem, and show that in a variety of ways, but we don’t think paying a per-vuln bounty is the best way," said Microsoft's Jerry Bryant said in an email. "Especially when across the researcher community the motivations aren’t always financial. It is well-known that we acknowledge researcher’s contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update."
He added that although the company doesn't provide a monetary reward on a per-bug basis, Microsoft does recognize honor and talent--traits that could land you a job at Microsoft. "We’ve had several influential folks from the researcher community join our security teams as Microsoft employees," he said. "We’ve also entered into contracts directly with many vendors and sometimes individual researchers to test our products for vulnerabilities before they’re released. Many of these vendors and individuals first came to our attention based on the high-quality and unique approaches demonstrated by the vulnerabilities they reported to the MSRC."
Apparently Microsoft isn't the only company stingy with the cash, as both Adobe and Apple do not pay for bugs discovered by outsiders. The big three typically dump their resources into the "boutique consultancies" as payment for digging up security flaws, leaving nothing for the outsides. For this reason, many individual researchers have been encouraging peers to stop reporting vulnerabilities found on their own time.
No, I like Windows 7, I'm just saying nobody's perfect.
No, I like Windows 7, I'm just saying nobody's perfect.
But serious, all kidding aside, they are just stingy.. I mean look at their history. That's entirely what they have always been (among other things)... It won't change. They think they're above everything else and just do their own thing... I agree with connie; if I started, this rant would go on and on and...
Obviously the history of security problems shows that they are not enough. Real-world security requires real-world exposure outside of the lab where fools are in abundance and have direct access to the system the software is on.
This is an interesting read http://www.forbes.com/2010/07/14/apple-microsoft-security-technology-wu-shi.html
IF I were MS I wouldnt pay either. but ADOBE needs to because they are on the verge of losing every Flash customer on the planet.
Keep in mind that developing a patch, and doing the required testing prior to release may take a month for a simple patch, or two months for a complex patch.
yes offering them full time employment to shut them up.... if only these poor fools would prove the folly to microsoft for not taking them up on their offer, these guys could just as easily auction off the security flaw to internet theives on ebay for alot more if it really compromises security in such a bad way to allow them to exploit something worth their time and money to attack systems every where.
best way to beat a criminal is to think like a criminal, getting your bank account and pin # is not likely or probable, how ever obtaining routing information and personably identifying information is. black mailing the victim with a threat to revealing that information to others works just as easily if some poor fool is getting an affair on at ashleymadison.com and doesn't want his wife to find out and divorce him along with 1/2 of what ever they own! i'm sure there's lots of better ways to exploit thing, this was just a fast easy way to set and example.