John Paczkowski

Recent Posts by John Paczkowski

Bug Bounties for IE? What, You Think We’re Made of Money?

aieeeeeeeeeeejpgSecurity researchers looking to make a buck digging up browser vulnerabilities can ignore Internet Explorer, because Microsoft (MSFT) isn’t going to pay them for their work. Though Google (GOOG) and Mozilla recently raised the bounties they pay for bugs discovered in their browsers, their Redmond rival has no plans to follow suit.

“We value the researcher ecosystem, and show that in a variety of ways, but we don’t think paying a per-vuln bounty is the best way,” Jerry Bryant, Microsoft’s Security Program Manager said in a statement.

I see. Perhaps, IE’s security record inspired budget concerns given the number of potential payouts.

In any event, here’s Bryant’s statement in full.

“We value the researcher ecosystem, and show that in a variety of ways, but we don’t think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren’t always financial. It is well-known that we acknowledge researcher’s contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update. We also work to make sure we can support and strengthen the community’s development, by sponsoring nearly 50 security conferences in over 20 countries each year. We even host our own researcher conference at Redmond each year, called ‘BlueHat Security Briefings’ to promote the sharing of ideas, social networking and provide direct access between researchers and the specific owners of the technology they’re researching. While we do not provide a monetary reward on a per-bug basis, like any other industry, we do recognize and honor talent. We’ve had several influential folks from the researcher community join our security teams as Microsoft employees. We’ve also entered into contracts directly with many vendors and sometimes individual researchers to test our products for vulnerabilities before they’re released. Many of these vendors and individuals first came to our attention based on the high-quality and unique approaches demonstrated by the vulnerabilities they reported to the MSRC.”


Twitter’s Tanking

December 30, 2013 at 6:49 am PT

2013 Was a Good Year for Chromebooks

December 29, 2013 at 2:12 pm PT

BlackBerry Pulls Latest Twitter for BB10 Update

December 29, 2013 at 5:58 am PT

Apple CEO Tim Cook Made $4.25 Million This Year

December 28, 2013 at 12:05 pm PT

Latest Video

View all videos »

Search »

Another gadget you don’t really need. Will not work once you get it home. New model out in 4 weeks. Battery life is too short to be of any use.

— From the fact sheet for a fake product entitled Useless Plasticbox 1.2 (an actual empty plastic box) placed in L.A.-area Best Buy stores by an artist called Plastic Jesus