back to article Microsoft's bug bounty turns 10. Are these kinds of rewards making code more secure?

Microsoft's bug bounty program celebrated its tenth birthday this year, and has paid out $63 million to security researchers in that first decade – with $60 million awarded to bug hunters in the past five years alone, according to Redmond. While these days, the vulnerability disclosure and reward program seems like a no- …

  1. Nik 2

    "Attacks are on the rise. That's not going to change. How are you using your bug bounty program to shape your live incident response and make it more efficient?"

    Announce that you will give any unspent funds in the bug bounty pot to the dev team, a set period after product launch.

    1. Ali Dodd
      Thumb Up

      "Announce that you will give any unspent funds in the bug bounty pot to the dev team, a set period after product launch"

      ONLY if no bugs are found... or reducing by 10% per bug detected before that time.

    2. Anonymous Coward
      Anonymous Coward

      Would the dev team be better writing perfect code straight away - although it would take longer and add pressure from above - or make notes of all the bugs and get their friends to report them and split the bounty?...

  2. Kev99 Silver badge

    With all the updates that come out every month I'm surprised mictosoft hasn't gone tit's up.

  3. CowHorseFrog Silver badge

    The real q is why is why are bug bounties so small ?

    They shoudl be at least 100k+. If companies like MS can pay Billions for a useless moron like Balmer, surely they can pay to support people who are actively supporting their products security .

    1. Ian 55

      "We've paid $63m over 10 years, $60m in the past 5"

      That says you were seriously underpaying in the first five or your products have become a lot worse or, most probably, both.

      1. Kristian Walsh Silver badge

        Re: "We've paid $63m over 10 years, $60m in the past 5"

        No, it proves neither.

        You’re assuming that the rate of awards is steady; it isn’t - from the article, 2016 would seem to be the inflection point on what sounds like an exponential curve of interest in these schemes.

        You’re also assuming that issues are discovered quickly; they’re not - some exist for years before they’re found.

        As per the article, what’s happened is that more organisations now run these bounty schemes, so more hackers have become interested in bug-bounty schemes in general, so there’s now a lot more applications on everyone’s schemes, and thus more payouts.

        The (valid) criticism of this from Ms Moussouris is that throwing reward money at hackers shouldn’t be the only spending that companies make on software security, but these days, tech companies have lots of cash, but lack developers with security expertise, so it’s not surprising that this has happened.

  4. Anonymous Coward
    Anonymous Coward

    A novel idea

    This is the typical executive knee-jerk response. Cover your ass.

    Look, we’re doing oh so much.

    Passive: fixing the exploits.

    Active: secure code practice, secure tools\languages.

    Remember MASM language support, now VS?

  5. IceC0ld

    T- otally

    I - ncentivised

    T -o

    S - top

    U - nwanted

    P - processes

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like