Writing software is hard, but testing software and finding bugs can
be harder. That's why companies like Google and Mozilla pay upwards
of a USD 3,000 bounty to anyone who reports a serious security bug
in their browsers. Don't expect anything more than an attaboy if
you find a hole in Internet Explorer, though.
According to ThreatPost.com, Microsoft will not pay bug bounties to
the people who find security bugs. They will, however, offer credit
to them by naming them in the security bulletin when the bug fix is
posted. Considering how long it can take to find security issues,
some sort of monetary thank-you doesn’t seem out of line.
Remember that if the good guys don't find these security holes, the
bad guys will. If paying a bug bounty seems expensive, consider the
cost to Microsoft's reputation if these holes are exploited.
I’m not sure what Microsoft's beef is about paying someone
for finding a critical bug. Are they worried that their software
has so many bugs that it will bankrupt them? On the contrary, one
benefit of paying a bug bounty is that it's possible to put at
least one well-defined cost on a bug. That provides a stronger
incentive for finding and eliminating bugs during the development
process. It also brings outside expertise to bear in a way that
can’t be duplicated by in-house development staff.
Now if you are just dead-set on being paid for finding a bug in a
Microsoft product, there is one possibility that the company holds
out for you. Microsoft's Jerry Bryant says, "While we do not
provide a monetary reward on a per-bug basis, like any other
industry, we do recognize and honor talent. We've had several
influential folks from the researcher community join our security
teams as Microsoft employees." So perhaps the free work that you
give to Microsoft is just your ticket to a job in Redmond. Then
again, perhaps not.