Microsoft will not follow the lead of Mozilla and Google in paying researchers for reporting vulnerabilities, a company executive said today. "We don't think [bug bounties] are the best way for us to compensate researchers," said Mike Reavey, director of the Microsoft Security Research Center (MSRC) in an interview Thursday.
Reavey was responding to questions about recent moves by Google and Mozilla to boost payments made to outside researchers who report flaws, and whether Microsoft would follow suit. Last week, Mozilla hiked Firefox bounties for bugs rated "critical" and "high" to $3,000. A few days later, Google matched Mozilla's raise by increasing the top-dollar payment to $3,133 for reported Chrome flaws. But Microsoft won't dive into the same pool.
"Not all researchers are financially motivated," Reavey said, an argument that flies in the face of what some of the best-known researchers say, as well as against the grain of security vendors that claim profits inspire most hackers who craft and launch attacks.
Reavey also said that Microsoft compensates security researchers in other ways. He ticked off the security conferences Microsoft sponsors or co-sponsors, it's one of seven top sponsors of next week's Black Hat conference for example, its Blue Hat gathering on its campus, and employment opportunities for researchers as contractors and members of its security team. "There are lots of ways we work with the [researcher] community," said Reavey, that don't involve handing out money directly.
But that's exactly what Microsoft should be doing, several well-known bug finders said today. "Sure, I'd like to see [bounties by Microsoft] happen," said Jeremiah Grossman, chief technology officer at White Hat Security. Grossman will be demonstrating a vulnerability in Apple's Safari browser next Thursday at Black Hat. "What difference does it make to Microsoft if it pays, $1,000, $3,000, $5,000, even $10,000 to buy a vulnerability?" Grossman asked. "They make billions in profit."
Researchers have argued that buying vulnerabilities is a sure way to remove the threat of early disclosure, saving a vendor like Microsoft the time and money it consumes to investigate a problem that suddenly pops up, or if the bug is leaked before a patch is available, helping protect its customers. "Large vendors like Microsoft have been historically adverse to bounties," said Dino Dai Zovi, a security consultant and vulnerability researcher. "I would love it if they followed [Google's and Mozilla's] model."
Last year, Dai Zovi, along with fellow researchers Charlie Miller and Alex Sotirov, launched an effort they dubbed "No Free Bugs" that proposed researchers should be paid for their work because vulnerabilities have value, both to the vendor whose product was at risk and on the black or gray market.
Without payments for work done, vendors essentially lose the skills of the researchers most likely to find and report vulnerabilities, Dai Zovi said. "Researchers who report vulnerabilities for free do this as they build their reputations," he said. "But as they become more experienced, that tapers off because they have paying clients. You still try to do what you can, but it's unfair to my paying customers if I'm giving away to a vendor what [those customers] are paying for my time."
There are ways to make money, legally and with Microsoft's blessing, on a bug in the company's software, even without Microsoft cutting cheques directly. Both HP TippingPoint's and VeriSign's iDefense have bug-for-cash programs in place, and regularly pay for flaws, then report them to the appropriate vendor.
Today, Microsoft pitched a new name for what has been called "responsible disclosure," the practice where a researcher reports a bug but then keeps quiet until a patch is ready. As part of its proposal for the new name, "coordinated vulnerability disclosure", Microsoft urged researchers to report flaws any way they wanted, including using the existing bounty programs.
"Report the issue to the vendor, or to a CERT-CC or some other coordinator you trust who will report to the vendor privately, or sell it to a service that will," said Katie Moussouris, a senior security strategist on the MSRC ecosystem strategy team, in a post to a Microsoft blog.