Microsoft: No money for bugs

Will not follow lead of Mozilla and Google in paying bounties for reported bugs

1 2 Page 2
Page 2 of 2

"What difference does it make to Microsoft if it pays, $1,000, $3,000, $5,000, even $10,000 to buy a vulnerability?" Grossman asked. "They make billions in profit."

Researchers have argued that buying vulnerabilities is a sure way to remove the threat of early disclosure, saving a vendor like Microsoft the time and money it consumes to investigate a problem that suddenly pops up, or if the bug is leaked before a patch is available, helping protect its customers.

"Large vendors like Microsoft have been historically adverse to bounties," said Dino Dai Zovi, a New York-based security consultant and vulnerability researcher. "I would love it if they followed [Google's and Mozilla's] model."

Last year, Dai Zovi, along with fellow researchers Charlie Miller and Alex Sotirov, launched an effort they dubbed "No Free Bugs" that proposed researchers should be paid for their work because vulnerabilities have value, both to the vendor whose product was at risk and on the black or gray market.

Without payments for work done, vendors essentially lose the skills of the researchers most likely to find and report vulnerabilities, Dai Zovi said. "Researchers who report vulnerabilities for free do this as they build their reputations," he said. "But as they become more experienced, that tapers off because they have paying clients. You still try to do what you can, but it's unfair to my paying customers if I'm giving away to a vendor what [those customers] are paying for my time."

There are ways to make money -- legally and with Microsoft's blessing -- on a bug in the company's software, even without Microsoft cutting checks directly. Both HP TippingPoint's and VeriSign's iDefense have bug-for-cash programs in place, and regularly pay for flaws, then report them to the appropriate vendor.

Today, Microsoft pitched a new name for what has been called "responsible disclosure," the practice where a researcher reports a bug but then keeps quiet until a patch is ready. As part of its proposal for the new name -- "coordinated vulnerability disclosure" -- Microsoft urged researchers to report flaws any way they wanted, including using the existing bounty programs.

"Report the issue to the vendor, or to a CERT-CC or some other coordinator you trust who will report to the vendor privately, or sell it to a service that will," said Katie Moussouris, a senior security strategist on the MSRC ecosystem strategy team, in a post to a Microsoft blog.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is

Copyright © 2010 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon