Microsoft has no interest in joining the bug-bounty wars, according to ThreatPost.com. Mozilla recently increased the cash reward it offers to security researchers for nailing vulnerabilities in its software, only for Google to follow suit a few days later. All this was enough to fuel rumors of Microsoft, which doesn't have a bug-bounty program, finally getting sucked into the bug-bounty battle.
But such rumors have now been put to rest by MS. "We value the researcher ecosystem, and show that in a variety of ways, but we don’t think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren’t always financial. It is well-known that we acknowledge researcher’s contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update," Microsoft's Jerry Bryant told ThreatPost in an email.
The company seems satisfied with its current practice of honoring talented security researchers by enlisting their services: “We’ve had several influential folks from the researcher community join our security teams as Microsoft employees. We’ve also entered into contracts directly with many vendors and sometimes individual researchers to test our products for vulnerabilities before they’re released. Many of these vendors and individuals first came to our attention based on the high-quality and unique approaches demonstrated by the vulnerabilities they reported to the MSRC.”
This will not go down well with a growing number of security researchers that discourage fellow researchers from making free disclosures and advocate more bug-buying programs. Don't be surprised if you witness a spike in publicly-disclosed critical bugs in Microsoft software – the company openly discourages security researchers from making public disclosures?