Microsoft: No money for bugs
Will not follow lead of Mozilla and Google in paying bounties for reported bugs
Computerworld - Microsoft will not follow the lead of Mozilla and Google in paying researchers for reporting vulnerabilities, a company executive said today.
"We don't think [bug bounties] are the best way for us to compensate researchers," said Mike Reavey, director of the Microsoft Security Research Center (MSRC) in an interview Thursday.
Reavey was responding to questions about recent moves by Google and Mozilla to boost payments made to outside researchers who report flaws, and whether Microsoft would follow suit.
Last week, Mozilla hiked Firefox bounties for bugs rated "critical" and "high" to $3,000. A few days later, Google matched Mozilla's raise by increasing the top-dollar payment to $3,133 for reported Chrome flaws.
But Microsoft won't dive into the same pool.
"Not all researchers are financially motivated," Reavey said, an argument that flies in the face of what some of the best-known researchers say, as well as against the grain of security vendors that claim profits inspire most hackers who craft and launch attacks.
Reavey also said that Microsoft compensates security researchers in other ways. He ticked off the security conferences Microsoft sponsors or co-sponsors -- it's one of seven top sponsors of next week's Black Hat conference, for example -- its Blue Hat gathering on its Redmond, Wash. campus, and employment opportunities for researchers as contractors and members of its security team.
"There are lots of ways we work with the [researcher] community," said Reavey, that don't involve handing out money directly.
But that's exactly what Microsoft should be doing, several well-known bug finders said today.
"Sure, I'd like to see [bounties by Microsoft] happen," said Jeremiah Grossman, chief technology officer at White Hat Security. Grossman will be demonstrating a vulnerability in Apple's Safari browser next Thursday at Black Hat.
- Learn More About Peer 1 Hosting's Mission Critical Cloud Mission Critical Cloud from Peer 1 Hosting is enterprise-ready, creating a perfect point of adoption whether you need an off-premise solution for development
- What Makes a Cloud Solution Truly Enterprise-Grade? Future enterprise cloud capabilities will evolve from five core elements...
- Securing Mobile App Data - Comparing Containers and App Wrappers Analysts agree that Mobile Device Management (MDM) is not enough when it comes to securing app data. Although it remains a critical component...
- PCI 3.0 Compliance In this white paper, learn how PCI-DSS 3.0 effects how you deploy and maintain PCI compliant networks using CradlePoint devices.
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade.
- Peer 1's Mission Critical Cloud: Your Cloud, Your Way Peer 1 Hosting's Mission Critical Cloud offers the ultimate in flexible customization of infrastructure, resources and support. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!