Subscribe to
Posts
Comments
NSLog(); Header Image

Bug Bounty Ballyhoo

From this article on kuro5hin.org comes this quote:

Personally I don't know why Microsoft doesn't just offer a bounty for bugs. Say $10,000 for each one found, on the condition that Microsoft be notified with a week's warning. Even if 1000 bugs are found, that's only $10 million, which is spare change given what Microsoft spends developing Windows. Make the offer apply to its own employees too, and the eyeballs scanning the source code will be a lot more attentive than they are during enforced code reviews.

What developers would actually trust Microsoft to actually pay them? My guess is that Microsoft would send 80% of the people who sent in bugs a note saying "sorry, one of our employees actually found that first" or "Joe Schmoe found that one already." They'd disperse money to 20% of the real bug submitters so that people thought that maybe they were being fair. Their own developers submitting bugs might get similar treatment.

In other words, how many people would actually trust Microsoft, including their own developers? For the chance at $10k, perhaps more than less, but that's a pretty sad state of affairs…

Trackback URI | Comments RSS

Leave a Reply

Please abide by the comment policy. Valid HTML includes: <blockquote><p>, <em>, <strong>, <ul>, <ol>, and <a href>. Please use the "Quote Me" functionality to quote comments.