Microsoft has ruled out paying security researchers bounties for exploits, as practised by other industry firms.
Instead the company wants to work with security researchers and credit them in monthly updates.
"I do not think paying is a healthy idea," he said. "We run a researcher conference at Redmond, called Bluehat, and once researchers see how we work they will start to trust us. After all, we are not lazy over fixes, but patches are very complex to develop."
Halbheer explained that it can sometimes take several hundred days to build a patch, in part because of a long testing process. For example, a patch for the IE browser has to go through over 400 tests before being released.
Microsoft has not been averse to using bounties before in specific circumstances. Three years ago it offered a $250,000 bounty for the author of the MyDoom worm, and Mozilla offers $500 and a free T-shirt for each vulnerability found.
Others in the industry also use the tactic. The US Federal Trade Commission has suggested bounties of up to $250,000 for information leading to the conviction of spammers.
Electronics and computer chain the latest high street retailer to fall into difficulties
Incisive Media and Investec Asset Management supported fundraiser crosses Atlantic in 40 days
Alphabet's health sciences division Verily have been messing with AI algorithms
North Korea's cyber attack capabilities are expanding fast - and turning their fire on a wider range of targets