Microsoft will not pay researchers rewards for reporting discovered vulnerabilities in their products, Security Program Manager Jerry Bryant said in an email this week. The message was in response to reports about Mozilla and Google increasing their own so-called “bug bounties”.
Researchers have recently called upon software vendors to offer such rewards, stating that they are no longer interested in doing the work if there is no return for their efforts. Mozilla responded by raising their bounty to $3000, while Google has set a maximum reward of $3133.70.
Some researchers have gone so far as to request that their colleagues stop reporting bugs to corporations who give them nothing but a bit of recognition in return. They believe that the companies will either pay internal employees or high-priced contractors for the work of locating vulnerabilities, so they should be receiving something for their work as well.
"We value the researcher ecosystem, and show that in a variety of ways, but we don’t think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren’t always financial. It is well-known that we acknowledge researcher’s contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update," said Bryant, in defense of Microsoft’s stance.
Some vulnerabilities can be worth $50,000 or more to the person who finds and reports it, according to prominent researcher Charlie Miller. Miller was shocked to see CanSecWest attendees sign up to only receive $5000 per verifiable bug at the conference’s Pwn2Own competition last year.
The attitude researchers like Miller have on the issue strike me as being rather pompous. After all, not everyone who hunts bugs in software actually cares about the money, so why make snide remarks about people who are motivated by less?
Also, while Microsoft may seem to be taking a stingy stance, they actually do have a reputation for supporting members of the community who spend time to help improve and educate others about their products. That said, I would rather see a little bit of money go to those people who are spending their own time on the research than the “boutique consultancies” to which Microsoft is likely paying ridiculous sums.
