Msg#: 4586299 posted 6:20 am on Jun 25, 2013 (gmt 0)
Microsoft has been for years against the idea of paying those that report security flaws to them. There are a number of (security) vendors who will offer a bounty to those who find security bugs in Microsoft products and help to get Microsoft to acknowledge the problem in exchange for the publicity it yields them months to years later when Microsoft acknowledges the bug publicly.
So it's for sure an about face for Microsoft but nothing novel.
Also the scope it quite limited.
Also notice they pay "up to" an amount - not the amount. And knowing how hard it is to get them to acknowledge their products are less than perfect, this is not going to be a reliable income, no matter how skilled you are at it.
Msg#: 4586299 posted 4:26 pm on Jun 25, 2013 (gmt 0)
>> pay "up to" an amount
That's pretty standard for any reward, including information leading to the arrest of a murderer or whatever.
If they turn out to be really cheap about it, they will reap the "benefits", which is to say that people will turn on them and make the situation worse. If they are generous, word will get out and people will really hunt for exploits.
I suppose the great unknown is how many exploits are there? If people start reporting them in massive numbers, it could get too expensive. But if people stop reporting them, it could get expensive.
Now that I think about it, I can see why they hesitated to do something like this. Does anyone know if Google or Apple have similar programs?
Msg#: 4586299 posted 8:56 pm on Jun 25, 2013 (gmt 0)
Apple only has a published email address ( firstname.lastname@example.org) to contact them, no bounty program AFAIK. Apple does systematically give credit to those that help them. (Miscrosoft does too, but only if you follow their rules and have the patience needed for their slow process)
There are more programs out there, I've not tried to keep a complete list, and there are also quite a few that just give mentions, links, t-shirts and the like - I've also not included those above.
I hope the links are OK. As far as I know none are dangerous to visit. BUT not everything might be suitable for work. Take care if your corporate security is rather tight, they might disapprove of some of the content.