Microsoft: No money for bugs
Microsoft will not follow the lead of Mozilla and Google in paying researchers for reporting vulnerabilities, a company executive said today.

“We don’t think [bug bounties] are the best way for us to compensate researchers,” said Mike Reavey, director of the Microsoft MCTS Training Security Research Center (MSRC) in an interview Thursday.
Email on Cruise Control: How to Guarantee Security, Speed and Confidence in Email: Download now

Reavey was responding to questions about recent moves by Google and Mozilla to boost payments made to outside researchers who report flaws, and whether Microsoft would follow suit.

Last week, Mozilla hiked Firefox bounties for bugs rated “critical” and “high” to $3,000. A few days later, Google matched Mozilla’s raise by increasing the top-dollar payment to $3,133 for reported Chrome flaws.

Related Content

* AT&T: We don’t intend to stop Black Hat demo
* This year’s Defcon badge has a persistent display
* Google patches Chrome, sidesteps Windows kernel bug
* Ensure 360-Degree Border SecurityWHITE PAPER
* Automated software quality assurance really mattersBLOG

* Open source Razorback project targets malware, zero-day exploits
* Citi iPhone App Flaw Raises Mobile Security Questions
* Search engine optimization techniques for hackers
* Email on Cruise Control: How to Guarantee Security, Speed and Confidence in EmailWHITE PAPER
* CA unveils virtual suite; PacketMotion upgrades compliance productBLOG

Get Daily News by Email

But Microsoft won’t dive into the same pool.

“Not all researchers are financially motivated,” Reavey said, an argument that flies in the face of what some of the best-known researchers say, as well as against the grain of security vendors that claim profits inspire most hackers who craft and launch attacks.

Reavey also said that Microsoft MCITP Certification compensates security researchers in other ways. He ticked off the security conferences Microsoft sponsors or co-sponsors — it’s one of seven top sponsors of next week’s Black Hat conference, for example — its Blue Hat gathering on its Redmond, Wash. campus, and employment opportunities for researchers as contractors and members of its security team.

“There are lots of ways we work with the [researcher] community,” said Reavey, that don’t involve handing out money directly.

But that’s exactly what Microsoft should be doing, several well-known bug finders said today.

“Sure, I’d like to see [bounties by Microsoft] happen,” said Jeremiah Grossman, chief technology officer at White Hat Security. Grossman will be demonstrating a vulnerability in Apple ‘s Safari browser next Thursday at Black Hat.

“What difference does it make to Microsoft if it pays, $1,000, $3,000, $5,000, even $10,000 to buy a vulnerability?” Grossman asked. “They make billions in profit.”

Researchers have argued that buying vulnerabilities is a sure way to remove the threat of early disclosure, saving a vendor like Microsoft the time and money it consumes to investigate a problem that suddenly pops up, or if the bug is leaked before a patch is available, helping protect its customers.

“Large vendors like Microsoft have been historically adverse to bounties,” said Dino Dai Zovi, a New York-based security consultant and vulnerability researcher. “I would love it if they followed [Google’s and Mozilla’s] model.”

Last year, Dai Zovi, along with fellow researchers Charlie Miller and Alex Sotirov, launched an effort they dubbed “No Free Bugs” that proposed researchers should be paid for their work because vulnerabilities have value, both to the vendor whose product was at risk and on the black or gray market.

Without payments for work done, vendors essentially lose the skills of the researchers most likely to find and report vulnerabilities, Dai Zovi said. “Researchers who report vulnerabilities for free do this as they build their reputations,” he said. “But as they become more experienced, that tapers off because they have paying clients. You still try to do what you can, but it’s unfair to my paying customers if I’m giving away to a vendor what [those customers] are paying for my time.”