Microsoft Pays $13 Million For Bug Reports
Microsoft has revealed it paid more than $13 million in bounties to people who reported security bugs in the past 12 months. It's three times the amount for the previous year, raising questions about Microsoft's attitude to security.
Like many tech firms, Microsoft has a series of programs that pay rewards for reports of vulnerabilities. It's not so much meant as a way to compete against the potential earnings of would-be cyber criminals. Instead, it's meant as an incentive for legitimate independent security researchers to put their efforts into a particular application, device or platform.
Microsoft says its total payouts for July 2019 through June 2020 were $13.7 million. That covered 1,226 reports from 327 different researchers. The biggest single payout was $200,000. (Source: microsoft.com)
Social Distancing Had Effect
The programs paid out $4.4 million from July 2018 to June 2019, with Microsoft offering two reasons for the dramatic increase the following year. One is an ironic effect of social distancing. Microsoft believes with more people forced to work at home, cyber-researchers were more open to collaborating with a bigger range of people, rather than concentrate solely on projects with people they shared an office with.
The other reason is that Microsoft added several new bounty programs, including ones dedicated to the Xbox gaming console, the new edition of Microsoft Edge (which runs on Google's Chromium code), and a set of tools called ElectionGuard that are designed to secure the voting process.
No Longer A Smart Spend?
However, the woman who originally created the bounty program at Microsoft says the sheer amounts being paid out now could be a sign it's no longer efficient spending.
Katie Moussaris, who now works for an independent security company, told The Register that Microsoft is now spending so much on the rewards that it would probably be more efficient to spend much of the money on internal improvements that stop the bugs appearing in the first place. (Source: theregister.com)
Indeed, she even speculates that the biggest payouts may be so high that Microsoft's security experts could be incentivized to quit their jobs and concentrate on chasing the bounties.
What's Your Opinion?
Are you surprised Microsoft spends so much on bounties? Is it a smart approach to security? Should it spend more on detecting bugs before release?
Most popular articles
- Which Processor is Better: Intel or AMD? - Explained
- How to Prevent Ransomware in 2018 - 10 Steps
- 5 Best Anti Ransomware Software Free
- How to Fix: Computer / Network Infected with Ransomware (10 Steps)
- How to Fix: Your Computer is Infected, Call This Number (Scam)
- Scammed by Informatico Experts? Here's What to Do
- Scammed by Smart PC Experts? Here's What to Do
- Scammed by Right PC Experts? Here's What to Do
- Scammed by PC / Web Network Experts? Here's What to Do
- How to Fix: Windows Update Won't Update
- Explained: Do I need a VPN? Are VPNs Safe for Online Banking?
- Explained: VPN vs Proxy; What's the Difference?
- Explained: Difference Between VPN Server and VPN (Service)
- Forgot Password? How to: Reset Any Password: Windows Vista, 7, 8, 10
- How to: Use a Firewall to Block Full Screen Ads on Android
- Explained: Absolute Best way to Limit Data on Android
- Explained: Difference Between Dark Web, Deep Net, Darknet and More
- Explained: If I Reset Windows 10 will it Remove Malware?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.
Comments
Scott Adams saw this coming
https://dilbert.com/strip/1995-11-13
I like incentivizing Microsoft's own (ex-)security people to chase bounties.
Or programmers pressured to complete projects on unrealistic schedules giving their buddies hints of where to look for poorly tested code.