Microsoft: No money for bugs

Computerworld - Microsoft will not follow the lead of Mozilla and Google in paying researchers for reporting vulnerabilities, a company executive said today.

"We don't think [bug bounties] are the best way for us to compensate researchers," said Mike Reavey, director of the Microsoft Security Research Center (MSRC) in an interview Thursday.

Reavey was responding to questions about recent moves by Google and Mozilla to boost payments made to outside researchers who report flaws, and whether Microsoft would follow suit.

Last week, Mozilla hiked Firefox bounties for bugs rated "critical" and "high" to $3,000. A few days later, Google matched Mozilla's raise by increasing the top-dollar payment to $3,133 for reported Chrome flaws.

But Microsoft won't dive into the same pool.

"Not all researchers are financially motivated," Reavey said, an argument that flies in the face of what some of the best-known researchers say, as well as against the grain of security vendors that claim profits inspire most hackers who craft and launch attacks.

Reavey also said that Microsoft compensates security researchers in other ways. He ticked off the security conferences Microsoft sponsors or co-sponsors -- it's one of seven top sponsors of next week's Black Hat conference, for example -- its Blue Hat gathering on its Redmond, Wash. campus, and employment opportunities for researchers as contractors and members of its security team.

"There are lots of ways we work with the [researcher] community," said Reavey, that don't involve handing out money directly.

But that's exactly what Microsoft should be doing, several well-known bug finders said today.

"Sure, I'd like to see [bounties by Microsoft] happen," said Jeremiah Grossman, chief technology officer at White Hat Security. Grossman will be demonstrating a vulnerability in Apple's Safari browser next Thursday at Black Hat.