All the latest UK technology news, reviews and analysis

Microsoft rules out bounties for security exploits

by Iain Thomson

More from this author

24 Apr 2007

Be the first to comment

  • Tweet this
Microsoft chief security advisor Roger Halbheer
Microsoft chief security advisor Roger Halbheer

Microsoft has ruled out paying security researchers bounties for exploits, as practised by other industry firms.

Speaking to vnunet.com at Infosecurity 2007 Microsoft chief security advisor Roger Halbheer ruled out making payments to researchers who discover vulnerabilities.

Further reading

Instead the company wants to work with security researchers and credit them in monthly updates.

"I do not think paying is a healthy idea," he said. "We run a researcher conference at Redmond, called Bluehat, and once researchers see how we work they will start to trust us. After all, we are not lazy over fixes, but patches are very complex to develop."

Halbheer explained that it can sometimes take several hundred days to build a patch, in part because of a long testing process. For example, a patch for the IE browser has to go through over 400 tests before being released.

Microsoft has not been averse to using bounties before in specific circumstances. Three years ago it offered a $250,000 bounty for the author of the MyDoom worm, and Mozilla offers $500 and a free T-shirt for each vulnerability found.

Others in the industry also use the tactic. The US Federal Trade Commission has suggested bounties of up to $250,000 for information leading to the conviction of spammers.

Security research companies Tipping Point and iDefence also use the tactic.

Do you agree?

Add your comment
 

Add your comment

We won't publish your address
By submitting a comment you agree to abide by our Terms & Conditions. Your comment will be moderated before publication.
Submit your comment

Latest stories from Security

german flag

Germany backs away from ACTA

Related white papers

Related articles

Related jobs

Today's top stories

heartvalentinesday

Top 10 Valentine's Day technology matches made in heaven

Microsoft Windows 8 start screen

Microsoft talks up Windows 8 for ARM hardware

Security enhancements will be added with the Chrome 17 update

Chrome for Android hands on review

Poll

IT priorities for 2012

What is the most important IT priority for your company this year?

99%

0%

1%

0%

0%

Features

V3 and The INQUIRER editor Madeline Bennett

BBC and Sky News show tough love with Twitter policies

V3's Rosalie Marshall

World indulges in a Facebook facts fest as firm prepares to float

facebook-new

Top five most interesting figures from Facebook’s IPO

Khidr headshot

Intel will prove Steve Jobs wrong in the mobile market

More features

Connect with V3.co.uk

Sign up to our daily or weekly newsletters

Case studies and reports

Accurev

Top 5 software development challenges

This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes

Talend

Rubbish in, rubbish enterprise

Why good data management at all levels is essential in the modern business (video, 6mins)

Technology jobs

Senior Account Manager/IT Account Manager - West London - £38k

Senior Account Manager/IT Account Manager - West London...

Implementation Manager, (Project Manager/Business Analyst)

Implementation Manager, (Project Manager/Business Analyst...

2nd Line Engineer - 6 month initial contact-Up to £20 per hour

2nd Line Engineer - Desktop/Remote - Active Directory...

.NET Developer - MS Gold Partner - Glasgow, Scotland

.NET Developer (VB.NET, VB, dot NET, Desktop, Winforms...

To send to more than one email address, simply separate each address with a comma.