The Members Forum

Mozilla and Google may be increasing the bounties to security researchers who find security holes in their software products but don’t expect Microsoft to join the pay-for-flaws party. According to Threatpost’s Dennis Fisher, a Microsoft security official dismissed any suggestion that the company would start buying rights to security flaws, arguing that its current system of crediting hackers in security bulletins is working very well.

Here’s what Microsoft’s Jerry Bryant told Fisher:

“We value the researcher ecosystem, and show that in a variety of ways, but we don’t think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren’t always financial. It is well-known that we acknowledge researcher’s contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update.”

“While we do not provide a monetary reward on a per-bug basis, like any other industry, we do recognize and honor talent. We’ve had several influential folks from the researcher community join our security teams as Microsoft employees. We’ve also entered into contracts directly with many vendors and sometimes individual researchers to test our products for vulnerabilities before they’re released. Many of these vendors and individuals first came to our attention based on the high-quality and unique approaches demonstrated by the vulnerabilities they reported to the MSRC.”

ZDnet has the details HERE!