Microsoft Pays $13 Million For Bug Reports

John Lister's picture

Microsoft has revealed it paid more than $13 million in bounties to people who reported security bugs in the past 12 months. It's three times the amount for the previous year, raising questions about Microsoft's attitude to security.

Like many tech firms, Microsoft has a series of programs that pay rewards for reports of vulnerabilities. It's not so much meant as a way to compete against the potential earnings of would-be cyber criminals. Instead, it's meant as an incentive for legitimate independent security researchers to put their efforts into a particular application, device or platform.

Microsoft says its total payouts for July 2019 through June 2020 were $13.7 million. That covered 1,226 reports from 327 different researchers. The biggest single payout was $200,000. (Source: microsoft.com)

Social Distancing Had Effect

The programs paid out $4.4 million from July 2018 to June 2019, with Microsoft offering two reasons for the dramatic increase the following year. One is an ironic effect of social distancing. Microsoft believes with more people forced to work at home, cyber-researchers were more open to collaborating with a bigger range of people, rather than concentrate solely on projects with people they shared an office with.

The other reason is that Microsoft added several new bounty programs, including ones dedicated to the Xbox gaming console, the new edition of Microsoft Edge (which runs on Google's Chromium code), and a set of tools called ElectionGuard that are designed to secure the voting process.

No Longer A Smart Spend?

However, the woman who originally created the bounty program at Microsoft says the sheer amounts being paid out now could be a sign it's no longer efficient spending.

Katie Moussaris, who now works for an independent security company, told The Register that Microsoft is now spending so much on the rewards that it would probably be more efficient to spend much of the money on internal improvements that stop the bugs appearing in the first place. (Source: theregister.com)

Indeed, she even speculates that the biggest payouts may be so high that Microsoft's security experts could be incentivized to quit their jobs and concentrate on chasing the bounties.

What's Your Opinion?

Are you surprised Microsoft spends so much on bounties? Is it a smart approach to security? Should it spend more on detecting bugs before release?

Rate this article: 
Average: 5 (3 votes)

Comments

doulosg's picture

https://dilbert.com/strip/1995-11-13

I like incentivizing Microsoft's own (ex-)security people to chase bounties.

Or programmers pressured to complete projects on unrealistic schedules giving their buddies hints of where to look for poorly tested code.