" For the first time ever, Microsoft is offering direct cash payouts in exchange for reporting certain types of vulnerabilities and exploitation techniques," is the way Microsoft has described its change in policy which will see up to $100,000 being paid in specific instances where a serious exploitation is discovered in the Windows 8.1 Preview release.
Smaller amounts will be paid for other types of intrusion detections.
Additional details of the program are covered in a recent TechNet blog article:Heart of Blue Gold-Announcing the New Bounty Programs
One of the purposes of this new program is to get the bug correction information into the system earlier in the life cycle of the software. By targeting the program to pre release versions of both Windows 8 and Internet Explorer 11 Microsoft hopes to be able to incorporate any corrections in the commercial releases right from the start. In the past much work has been necessary to respond to bugs that are identified post release.
In an article released following the Microsoft announcement, CRN comments that the bounties which Microsoft will pay early will be equivalent to what might have been paid for bugs identified later in the process. It goes on to suggest the Microsoft payouts will be similar to those of other major developers like Google.
Enlisting the efforts of the white hat security community to assist in maintaining the security of its products is a good move for Microsoft. Using the work of those who research the vulnerabilities in software and rewarding them for identifying areas of risk can bring additional resources to the fight against hacking. This benefits the users of the software as the patches and corrections get incorporated into the product releases.
Most purchasers of software expect that the design of the product will incorporate its safe use in their hands as long as they use it as intended. Unfortunately, experience teaches people that this is not always the case and it leads to skepticism about the use of some software products. Any steps which can enhance the security of the end product without impacting end users are welcomed.
What do you think about this type of bounty program? Is it justified and reasonable to compensate those who make positive suggestions for improvement?