Microsoft: We're not Paying for Bug Bounties
Individual researchers don't want to report security flaws because Microsoft doesn't reward their efforts with money.
Last week Mozilla announced that it was raising its "bug bounty" to $3,000--that is, the company is now paying researchers three Grover Cleveland bills for digging up security flaws found in Firefox, Thunderbird, Firefox Mobile, and other Mozilla-based software. Four days later Google revealed a similar bounty, but upped the ante with a slightly larger $3,133.7 (get it?) bounty.
As for Microsoft? They're not paying a dime. "We value the researcher ecosystem, and show that in a variety of ways, but we don’t think paying a per-vuln bounty is the best way," said Microsoft's Jerry Bryant said in an email. "Especially when across the researcher community the motivations aren’t always financial. It is well-known that we acknowledge researcher’s contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update."
He added that although the company doesn't provide a monetary reward on a per-bug basis, Microsoft does recognize honor and talent--traits that could land you a job at Microsoft. "We’ve had several influential folks from the researcher community join our security teams as Microsoft employees," he said. "We’ve also entered into contracts directly with many vendors and sometimes individual researchers to test our products for vulnerabilities before they’re released. Many of these vendors and individuals first came to our attention based on the high-quality and unique approaches demonstrated by the vulnerabilities they reported to the MSRC."
Apparently Microsoft isn't the only company stingy with the cash, as both Adobe and Apple do not pay for bugs discovered by outsiders. The big three typically dump their resources into the "boutique consultancies" as payment for digging up security flaws, leaving nothing for the outsides. For this reason, many individual researchers have been encouraging peers to stop reporting vulnerabilities found on their own time.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
-
azconnie So the KIN can take 240Mil from XBOX, but MS can't spend a cen't on improving security? I would say more... but this would become a 3 page rant.Reply -
sliem Because it would cost them millions due to overwhelming bugs found :).Reply
No, I like Windows 7, I'm just saying nobody's perfect. -
SirGCal Heh, if MS had to pay for each bug reported, they'd probably go bankrupt...Reply
But serious, all kidding aside, they are just stingy.. I mean look at their history. That's entirely what they have always been (among other things)... It won't change. They think they're above everything else and just do their own thing... I agree with connie; if I started, this rant would go on and on and... -
lespy Microsoft probably has a whole team of fully staffed security experts, why would it want to pay more for what there already doing. as for being cheap, personally i would much rather be taught to fish rather then being given one.Reply -
jhansonxi lespyMicrosoft probably has a whole team of fully staffed security experts, why would it want to pay more for what there already doing. as for being cheapReply
Obviously the history of security problems shows that they are not enough. Real-world security requires real-world exposure outside of the lab where fools are in abundance and have direct access to the system the software is on. -
sneaky jedi whatever, it's their prerogative, I don't think it really matters one way or the otherReply -
buddhav1 debugging a web browser is a lot less expensive for Google or Mozilla than debugging an OS from Microsoft. of course they're not paying 3 grand a pop, it'd cost them billions.Reply