__/ [ Roy Culley ] on Tuesday 21 February 2006 23:55 \__
> MICROSOFT is fuming over a move by security outfit iDefense to
> offer hackers a $10,000 bounty for finding serious flaws in its
> A spokesVole told EWeek that paying for flaws is not the best way
> to secure software products. Microsoft thinks that the best way
> forward is what it calls \u201cresponsible disclosure\u201d where
> the person who finds the flaw tells Microsoft, who eventually
> releases a patch and then announces the glitch has been found.
> However it claims its bounty system was a good way to get a list
> of bugs in the software. Last year iDefense found three 'critical'
> vulnerabilities and reported them to Microsoft,
> A spokesman for iDefense said that it was ironic that Vole offered
> $250,000 to capture a virus writer, but didn't want to pay for
> information that would stop the propagation of the virus.
> See, it is possible to make money from MS SW. Sadly, that's just for
> the few. Those who have to use Windows lose money hand over foot just
> to keep the bug ridden 'OS' running.
This bounty hunt was announced about a week ago (I think I posted a link
to COLA). I don't see how this badly affects Microsoft. If anything, they
should be grateful. They are getting free bug tracking; and reports too.
In WordPress, for instance, a 'bounty hunt' was announced as part of our
attempt to squash as many bugs as possible. Several dozens were discovered
and then mended. So what is Microsoft whining about? Make good products
and show that bounty hunts are pointless, even when the code if closed--
source. The Linux kernel is metaphorically naked, it out there and yet
no-one is able to break it to pieces. Many eyes are watching and it works
to one's advantage.