Microsoft won’t pay bounties

BUGS DO NOT mean prizes at Microsoft despite both Google and Mozilla recently updating their own bounty payment policy programs.

The OS giant has no immediate plans to follow suit, preferring to take the line that it rewards the security community in other ways. Something that may be of scant interest to any researchers looking for a $3,000 deposit on a car. The $3,000 being a top bounty from Google and Mozilla.

"At Microsoft we recognise, and appreciate, the unique value that security researchers play in identifying issues and helping the entire computing ecosystem improve from a security perspective," the firm said in a security group blog, before skirting the cash question with the suggestion that it compensates these researchers in other ways.

"Throughout the years we've seen researchers saying that if vendors really valued their work, we'd compensate them directly for the vulnerabilities they discover. That's a trend that's continued in recent weeks. We absolutely value the researcher ecosystem, and show that in a variety of ways," it explained.

This reimbursement includes the altruistic profile raising associated with sponsoring conferences, and we guess, dishing out tee shirts to attendees.

Microsoft in the UK has not responded to comments about the cash question. Cynics might argue that paying out would bankrupt the firm, or at the very least, dent the amount of cash behind the open bar at its summer parties.

In fact, according to the post the firm gets eleven emails about vulnerabilities an hour, 1,000 of which it actually investigates. µ