We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Microsoft will not offer rewards for identifying bugs in IE

Bug bounties are not the best way to compensate researchers

Microsoft has no plans to follow in Mozilla and Google's footsteps and offer security researchers rewards for identify bugs in its software.

"We don't think [bug bounties] are the best way for us to compensate researchers," said Mike Reavey, director of the Microsoft Security Research Center (MSRC).

Reavey was responding to questions about recent moves by Google and Mozilla to boost payments made to outside researchers who report flaws, and whether Microsoft would follow suit.

Mozilla recently hiked Firefox bounties for bugs rated 'critical' and 'high' to $3,000 (£1,961). Meanwhile, Google matched Mozilla's raise by increasing the top-dollar payment to $3,133 (£2,034) for reported Chrome flaws.

But Microsoft won't dive into the same pool.

"Not all researchers are financially motivated," Reavey said, an argument that flies in the face of what some of the best-known researchers say, as well as against the grain of security vendors that claim profits inspire most hackers who craft and launch attacks.

Reavey also said that Microsoft compensates security researchers in other ways. He ticked off the security conferences Microsoft sponsors or co-sponsors - it's one of seven top sponsors of next week's Black Hat conference, for example - its Blue Hat gathering on its Washington campus, and employment opportunities for researchers as contractors and members of its security team.

"There are lots of ways we work with the [researcher] community," said Reavey, that don't involve handing out money directly.

But that's exactly what Microsoft should be doing, several well-known bug finders said today.

"Sure, I'd like to see [bounties by Microsoft] happen," said Jeremiah Grossman, chief technology officer at White Hat Security. Grossman will be demonstrating a vulnerability in Apple 's Safari browser next Thursday at Black Hat.

"What difference does it make to Microsoft if it pays, $1,000, $3,000, $5,000, even $10,000 to buy a vulnerability?" Grossman asked. "They make billions in profit."

Researchers have argued that buying vulnerabilities is a sure way to remove the threat of early disclosure, saving a vendor like Microsoft the time and money it consumes to investigate a problem that suddenly pops up, or if the bug is leaked before a patch is available, helping protect its customers.

"Large vendors like Microsoft have been historically adverse to bounties," said Dino Dai Zovi, a New York-based security consultant and vulnerability researcher. "I would love it if they followed [Google's and Mozilla's] model."

Last year, Dai Zovi, along with fellow researchers Charlie Miller and Alex Sotirov, launched an effort they dubbed 'No Free Bugs' that proposed researchers should be paid for their work because vulnerabilities have value, both to the vendor whose product was at risk and on the black or gray market.

Without payments for work done, vendors essentially lose the skills of the researchers most likely to find and report vulnerabilities, Dai Zovi said.

"Researchers who report vulnerabilities for free do this as they build their reputations," he said.

"But as they become more experienced, that tapers off because they have paying clients. You still try to do what you can, but it's unfair to my paying customers if I'm giving away to a vendor what [those customers] are paying for my time."

There are ways to make money - legally and with Microsoft's blessing - on a bug in the company's software, even without Microsoft cutting checks directly. Both HP TippingPoint's and VeriSign's iDefense have bug-for-cash programs in place, and regularly pay for flaws, then report them to the appropriate vendor.

Today, Microsoft pitched a new name for what has been called 'responsible disclosure', the practice where a researcher reports a bug but then keeps quiet until a patch is ready. As part of its proposal for the new name - 'co-ordinated vulnerability disclosure' - Microsoft urged researchers to report flaws any way they wanted, including using the existing bounty programs.

"Report the issue to the vendor, or to a CERT-CC or some other coordinator you trust who will report to the vendor privately, or sell it to a service that will," said Katie Moussouris, a senior security strategist on the MSRC ecosystem strategy team, in a post to a Microsoft blog.

See also: Dell launches super secure version of Firefox


IDG UK Sites

Best January sales 2015 UK tech deals LIVE: Best New Year bargains and savings on phones, tablets,...

IDG UK Sites

Chromebooks: ready for the prime time (but not for everybody)

IDG UK Sites

Hands-on with Sony's latest smartglasses

IDG UK Sites

Apple TV expert tips: get US Apple TV content, watch Google Play, use multiple Apple IDs and more