Bug Bounties for IE? What, You Think We’re Made of Money?
Security researchers looking to make a buck digging up browser vulnerabilities can ignore Internet Explorer, because Microsoft (MSFT) isn’t going to pay them for their work. Though Google (GOOG) and Mozilla recently raised the bounties they pay for bugs discovered in their browsers, their Redmond rival has no plans to follow suit.
“We value the researcher ecosystem, and show that in a variety of ways, but we don’t think paying a per-vuln bounty is the best way,” Jerry Bryant, Microsoft’s Security Program Manager said in a statement.
I see. Perhaps, IE’s security record inspired budget concerns given the number of potential payouts.
In any event, here’s Bryant’s statement in full.
“We value the researcher ecosystem, and show that in a variety of ways, but we don’t think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren’t always financial. It is well-known that we acknowledge researcher’s contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update. We also work to make sure we can support and strengthen the community’s development, by sponsoring nearly 50 security conferences in over 20 countries each year. We even host our own researcher conference at Redmond each year, called ‘BlueHat Security Briefings’ to promote the sharing of ideas, social networking and provide direct access between researchers and the specific owners of the technology they’re researching. While we do not provide a monetary reward on a per-bug basis, like any other industry, we do recognize and honor talent. We’ve had several influential folks from the researcher community join our security teams as Microsoft employees. We’ve also entered into contracts directly with many vendors and sometimes individual researchers to test our products for vulnerabilities before they’re released. Many of these vendors and individuals first came to our attention based on the high-quality and unique approaches demonstrated by the vulnerabilities they reported to the MSRC.”