Microsoft: No money for bugs
Will not follow lead of Mozilla and Google in paying bounties for reported bugs
Computerworld - Microsoft will not follow the lead of Mozilla and Google in paying researchers for reporting vulnerabilities, a company executive said today.
"We don't think [bug bounties] are the best way for us to compensate researchers," said Mike Reavey, director of the Microsoft Security Research Center (MSRC) in an interview Thursday.
Reavey was responding to questions about recent moves by Google and Mozilla to boost payments made to outside researchers who report flaws, and whether Microsoft would follow suit.
Last week, Mozilla hiked Firefox bounties for bugs rated "critical" and "high" to $3,000. A few days later, Google matched Mozilla's raise by increasing the top-dollar payment to $3,133 for reported Chrome flaws.
But Microsoft won't dive into the same pool.
"Not all researchers are financially motivated," Reavey said, an argument that flies in the face of what some of the best-known researchers say, as well as against the grain of security vendors that claim profits inspire most hackers who craft and launch attacks.
Reavey also said that Microsoft compensates security researchers in other ways. He ticked off the security conferences Microsoft sponsors or co-sponsors -- it's one of seven top sponsors of next week's Black Hat conference, for example -- its Blue Hat gathering on its Redmond, Wash. campus, and employment opportunities for researchers as contractors and members of its security team.
"There are lots of ways we work with the [researcher] community," said Reavey, that don't involve handing out money directly.
But that's exactly what Microsoft should be doing, several well-known bug finders said today.
"Sure, I'd like to see [bounties by Microsoft] happen," said Jeremiah Grossman, chief technology officer at White Hat Security. Grossman will be demonstrating a vulnerability in Apple's Safari browser next Thursday at Black Hat.
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!