Microsoft: No money for bugs
Will not follow lead of Mozilla and Google in paying bounties for reported bugs
Computerworld - Microsoft will not follow the lead of Mozilla and Google in paying researchers for reporting vulnerabilities, a company executive said today.
"We don't think [bug bounties] are the best way for us to compensate researchers," said Mike Reavey, director of the Microsoft Security Research Center (MSRC) in an interview Thursday.
Reavey was responding to questions about recent moves by Google and Mozilla to boost payments made to outside researchers who report flaws, and whether Microsoft would follow suit.
Last week, Mozilla hiked Firefox bounties for bugs rated "critical" and "high" to $3,000. A few days later, Google matched Mozilla's raise by increasing the top-dollar payment to $3,133 for reported Chrome flaws.
But Microsoft won't dive into the same pool.
"Not all researchers are financially motivated," Reavey said, an argument that flies in the face of what some of the best-known researchers say, as well as against the grain of security vendors that claim profits inspire most hackers who craft and launch attacks.
Reavey also said that Microsoft compensates security researchers in other ways. He ticked off the security conferences Microsoft sponsors or co-sponsors -- it's one of seven top sponsors of next week's Black Hat conference, for example -- its Blue Hat gathering on its Redmond, Wash. campus, and employment opportunities for researchers as contractors and members of its security team.
"There are lots of ways we work with the [researcher] community," said Reavey, that don't involve handing out money directly.
But that's exactly what Microsoft should be doing, several well-known bug finders said today.
"Sure, I'd like to see [bounties by Microsoft] happen," said Jeremiah Grossman, chief technology officer at White Hat Security. Grossman will be demonstrating a vulnerability in Apple's Safari browser next Thursday at Black Hat.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts