Subscribe to
NSLog(); Header Image

Bug Bounty Ballyhoo

From this article on comes this quote:

Personally I don't know why Microsoft doesn't just offer a bounty for bugs. Say $10,000 for each one found, on the condition that Microsoft be notified with a week's warning. Even if 1000 bugs are found, that's only $10 million, which is spare change given what Microsoft spends developing Windows. Make the offer apply to its own employees too, and the eyeballs scanning the source code will be a lot more attentive than they are during enforced code reviews.

What developers would actually trust Microsoft to actually pay them? My guess is that Microsoft would send 80% of the people who sent in bugs a note saying "sorry, one of our employees actually found that first" or "Joe Schmoe found that one already." They'd disperse money to 20% of the real bug submitters so that people thought that maybe they were being fair. Their own developers submitting bugs might get similar treatment.

In other words, how many people would actually trust Microsoft, including their own developers? For the chance at $10k, perhaps more than less, but that's a pretty sad state of affairs…