Microsoft Explains The Logic Behind Paying Security Experts For Finding Vulnerabilities

report, Microsoft talked about how it refused to pay for finding vulnerabilities in its software in the past, and instead opted to mention the name of the researchers in its security advisories. But the 90s have come and gone, people! According to Katie Moussouris, the senior strategy lead at Redmond, the company wanted to disrupt the black market instead of competing with it, as there had been instances where security researchers could earn a lot of money by selling the vulnerabilities they found in its software products:

“Our new bounty programs add expanded depth and flexibility to our existing community outreach programs. Having these bounty programs provides a way to harness the collective intelligence and capabilities of security researchers to help further protect customers. At the heart of our community outreach programs, we’ve always had the same philosophy: help increase the win-win between Microsoft’s customers and the security research community. We have evolved and deepened our relationships with this community since the earliest days of Microsoft’s outreach.”

All for a good cause, then. Since announcing these bug bounty programs, the company has paid figures of up to $100,000 for flaws found in Windows and Internet Explorer. And with newer versions of these software in development, Microsoft has promised the continuation of this policy. The new wave of products that are about to hit the market within the next year or so should provide security researchers more incentives to find and report any vulnerability they find.]]>