No more free bugs?
Posted on 23 July 2010.
The recent announcements from Google and Mozilla that revealed their intent of paying up to $3,133.7 and $3,000 (respectively) for an eligible vulnerability discovered by outside researchers, has been welcome news to all those security researchers who would like to get more than a mention of their name as thanks for discovering a vulnerability that could affect millions of people.

But, other big companies are still not offering to pay - Apple, Adobe, Microsoft and Oracle are among those. Jerry Bryant, Senior Security Program Manager Lead at Microsoft, had this to say in an email to ThreatPost:

We value the researcher ecosystem, and show that in a variety of ways, but we donít think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations arenít always financial. It is well-known that we acknowledge researcherís contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update.

While we do not provide a monetary reward on a per-bug basis, like any other industry, we do recognize and honor talent. Weíve had several influential folks from the researcher community join our security teams as Microsoft employees. Weíve also entered into contracts directly with many vendors and sometimes individual researchers to test our products for vulnerabilities before theyíre released. Many of these vendors and individuals first came to our attention based on the high-quality and unique approaches demonstrated by the vulnerabilities they reported to the MSRC.
Excepting Google and Mozilla, it seems that researchers must look to third-party vulnerability vendors, government agencies and other buyers if they want to make a buck this way.

As there are more and more security researchers that are of the opinion that their hard work has a price, it will be interesting to see which side will be the first to give in.






Spotlight

IoT devices are filled with security flaws, researchers warn

Posted on 30 July 2014.  |  We are living in an increasingly interconnected world, and the so-called Internet of Things is our (inescapable) future. But how safe will we, our possessions and our information be as these wired and interconnected devices begin to permeate our lives?


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Jul 31st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //