Jul
24
2010
Creating software is no easy task but testing it and finding all the bugs is even more difficult. Many companies, including Mozilla and Google are willing to offer up to $3,000 as a bounty to anybody who brings a serious security issue with their browsers to their attention. The same cannot be said if you find a bug hidden in Internet Explorer.
Microsoft does not participate in this bounty system according to ThreatPost.com. What you will get is credit for the find and a specific mention in their subsequent security bulletin that outlines the fix. A monetary reward of some kind does not seem unreasonable considering the time it can take to locate these types of security problems. If the security breach is not found by someone interested in getting the bug fixed, it could be discovered by someone who is willing to use it to do harm. After all, the damage to Microsoft’s reputation could be enormous of one of those holes is exploited by the wrong person. Paying a bug bounty would be a bargain in comparison.
It is unclear why Microsoft has taken this stance when it comes to security bug discovery. Could it be that their software is so buggy the prospect of paying bounties might put them in bankruptcy? The truth is quite the opposite. Putting a specific cost on finding a bug gives programmers a stronger incentive to find and get rid of them during development. Outside expertise is thrown into the mix in such a way that it is unable to be copied by the development staff in-house.
The only way to get paid for discovering a bug hidden within a Microsoft program is to go to work for them. According to Jerry Bryan, the company may recognize talent by asking the researcher to become a part of the security team as a paid employee. A clever person just might turn their discovery into a lucrative career in the computer software industry. Then again, it might not.