Does Microsoft Need Bug Bounties? 100
Gunkerty Jeb writes "The threats and attacks may have changed in the last decade, but one thing has remained constant: software giant Microsoft doesn't pay for vulnerabilities. Never has. Never will. Even as rivals like Mozilla and Google have introduced bug bounty program, the Redmond giant has stuck doggedly with a position it articulated almost a decade ago, refusing to offer monetary rewards for information on software holes. But security experts say that position may have to change."
A Fundamental Problem with This Suggestion! (Score:5, Interesting)
Even as rivals like Mozilla and Google have introduced bug bounty program, the Redmond Washington giant has stuck doggedly with a position it articulated almost a decade ago, refusing to offer monetary rewards for information on software holes. But security experts say that position may have to change.
Here is the source [mozilla.org] for Mozilla projects. Here is the source [chromium.org] for Google Chrome. And where do I find Internet Explorer's source code? Oh, right. Well, I'm sure if they truly wanted my help making their browser better and more secure, they'd be okay with letting me take a peek at the source code. How can they start a bug bounty program when they won't even trust the community with seeing their code?
To put it another way: when you practice security through obscurity, offering monetary incentives for bug discovery is not a financially sound decision.
Furthermore, there have been times when a bug submitted to Google was deemed not a bug and a discussion ensued why that was with the source code referenced. I believe Microsoft could just say, "Oh, sorry, we don't owe you anything for discovering that feature but since you can't see the source code you'll have to take our word for it."
Microsoft doesn't need bug bounties. They need to achieve the prerequisite of code inspection before they can even consider putting their money where their mouth is [slashdot.org].
#3) Penetrate and Patch (Score:1, Interesting)