Microsoft: We're not Paying for Bug Bounties

Last week Mozilla announced that it was raising its "bug bounty" to $3,000--that is, the company is now paying researchers three Grover Cleveland bills for digging up security flaws found in Firefox, Thunderbird, Firefox Mobile, and other Mozilla-based software. Four days later Google revealed a similar bounty, but upped the ante with a slightly larger $3,133.7 (get it?) bounty.

As for Microsoft? They're not paying a dime. "We value the researcher ecosystem, and show that in a variety of ways, but we don’t think paying a per-vuln bounty is the best way," said Microsoft's Jerry Bryant said in an email. "Especially when across the researcher community the motivations aren’t always financial. It is well-known that we acknowledge researcher’s contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update."

He added that although the company doesn't provide a monetary reward on a per-bug basis, Microsoft does recognize honor and talent--traits that could land you a job at Microsoft. "We’ve had several influential folks from the researcher community join our security teams as Microsoft employees," he said. "We’ve also entered into contracts directly with many vendors and sometimes individual researchers to test our products for vulnerabilities before they’re released. Many of these vendors and individuals first came to our attention based on the high-quality and unique approaches demonstrated by the vulnerabilities they reported to the MSRC."

Apparently Microsoft isn't the only company stingy with the cash, as both Adobe and Apple do not pay for bugs discovered by outsiders. The big three typically dump their resources into the "boutique consultancies" as payment for digging up security flaws, leaving nothing for the outsides. For this reason, many individual researchers have been encouraging peers to stop reporting vulnerabilities found on their own time.

  • azconnie
    So the KIN can take 240Mil from XBOX, but MS can't spend a cen't on improving security? I would say more... but this would become a 3 page rant.
  • seraphimcaduto
    too big to fail?
  • sliem
    Because it would cost them millions due to overwhelming bugs found :).
    No, I like Windows 7, I'm just saying nobody's perfect.
  • SirGCal
    Heh, if MS had to pay for each bug reported, they'd probably go bankrupt...

    But serious, all kidding aside, they are just stingy.. I mean look at their history. That's entirely what they have always been (among other things)... It won't change. They think they're above everything else and just do their own thing... I agree with connie; if I started, this rant would go on and on and...
  • lespy
    Microsoft probably has a whole team of fully staffed security experts, why would it want to pay more for what there already doing. as for being cheap, personally i would much rather be taught to fish rather then being given one.
  • jhansonxi
    lespyMicrosoft probably has a whole team of fully staffed security experts, why would it want to pay more for what there already doing. as for being cheap
    Obviously the history of security problems shows that they are not enough. Real-world security requires real-world exposure outside of the lab where fools are in abundance and have direct access to the system the software is on.
  • tapnick
    Why pay for single finds when you can just hire the right people to find them.
  • sneaky jedi
    whatever, it's their prerogative, I don't think it really matters one way or the other
  • buddhav1
    debugging a web browser is a lot less expensive for Google or Mozilla than debugging an OS from Microsoft. of course they're not paying 3 grand a pop, it'd cost them billions.
  • rohitbaran
    Well, one more reason to hate MS and Apple.