No compensation for 'responsible disclosure': Microsoft

Paying independent security researchers a bounty for responsibly disclosing vulnerabilities is not the best way to protect users, according to Microsoft.

Microsoft has said it will not offer money to security researchers for responsibly disclosing vulnerabilities in its products. Responsible disclosure is where a researcher discovers a vulnerability and informs the vendor but nobody else -- until a patch is available.

However, Australia's Computer Emergency Response Team (AusCERT) on Wednesday warned that crime gangs are paying big money for newly discovered vulnerabilities. This acquired knowledge is then used to develop new attack vectors in order to steal money, identities and intellectual property.

Peter Watson, chief security advisor for Microsoft Australia, told ZDNet Australia that there are better ways to protect its customers than paying researchers "bug bounties".

"Microsoft works closely with numerous security researchers and security software companies and does not believe that offering compensation for vulnerability information is the best way we can help protect customers.

"As threats become more sophisticated, Microsoft and researchers alike continue to partner together to help protect customers while still maintaining the integrity of the vulnerability analysis and research process," said Watson.

On Wednesday, the general manager for AusCERT, Graham Ingram, revealed that selling a vulnerability to the highest bidder can be a very lucrative business.

"I would speculate that if I am a vulnerability researcher and I have the option of, for example, a nice mention from Microsoft on an advisory under 'responsible disclosure' or pay off my mortgage; which one do I choose?" asked Ingram.

Firewall vendor Check Point does not have a policy of paying third-party researchers for discovering vulnerabilities but the company does not entirely dismiss the suggestion.

Laura Yecies, general manager of Check Point Consumer Division (previously ZoneLabs) and vice president of Check Point, told ZDNet Australia that paying independent researchers for discovering vulnerabilities is nothing new.

"There have always been people that have done this for financial gain. I used to work for Netscape -- which later became Mozilla -- and we always had a bug bounty ... but it wouldn't pay off your mortgage," she said.

Yecies admitted that Check Point has recently paid researchers for discovering security vulnerabilities: "A financial transaction doesn't make it a nefarious thing, you can almost think about it as outsourced QA [quality assurance] ... there was a recent vulnerability that was found from the outside. We paid for that and we fixed it."

Numerous companies offer a "bug bounty" including Firefox maker Mozilla. The Mozilla Security Bug Bounty Program "is designed to encourage security research in Mozilla software and to reward those who help us create the safest Internet clients in existence", the Web site states. "Reporters of valid critical security bugs will receive a US$500 cash reward and a Mozilla T-shirt".

Security firm iDefense (owned by VeriSign) runs a Vulnerability Contributor Program as well as a hacking competition -- where the winner can receive US$10,000.

TippingPoint (owned by 3com) has its ZeroDayInitiative, where researchers can receive cash bonuses and paid-for trips to events such as security conferences for discovering vulnerabilities in applications. The company claimed responsibility for disclosing a critical vulnerability in Microsoft Windows that was patched by Microsoft earlier this month.