The powers that be in Redmond have decided that they will once again be different than the rest of the computing ecosystem, when it comes to how research and proof of bad code is rewarded. Competitors like Google and Mozilla pay individuals bounties for identification of errant code. Microsoft believes that it does not have to remunerate research that brings results, but that the recognition of individual identity is enough.


“In the wake of both Mozilla and Google significantly increasing their bug bounties to the $3,000 range, there have been persistent rumors in the security community that Microsoft soon would follow suit and start paying bounties as well. However, a company official said on Thursday that Microsoft was not interested in paying bounties. ‘We value the researcher ecosystem, and show that in a variety of ways, but we don’t think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren’t always financial. It is well-known that we acknowledge researcher’s contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update,’ Microsoft’s Jerry Bryant said.”

I suppose that many will work on finding problems in hope of the recognition, but there are also those that will wish to get something tangible for their efforts. Will this lead to less effort by that community to find the problems, or will the problems simply go to the highest (and most unscrupulous) bidder?

Microsoft may end up finding that the small amount saved on bounties adds up to much higher financial output later in the cycle.




If you’re playing a poker game and you look around the table and can’t tell who the sucker is, it’s you.

Paul Newman


Not everyone operates on the purest motives…one would think that Microsoft would understand that.