Essentially Microsoft asks people to do it a free service, report to it any security weaknesses and bugs which people (on their own time) discover in MS products. Not only does this protect their customer base (from the defective QA of Microsoft) but simultaneously it allows MS to improve the value of their proprietary products.
Sounds like a variation on corporate welfare. But how about instead, Microsoft paid out the equivalent of a bounty on each newly confirmed security bug to the researcher that reported it first?
I think they could not only afford it, but it might actually spur the discovery of bugs in a more systematic manner and competition, thus providing an incentive for researchers not to share this information with parties other than the vendor.
Overall, it would get bugs detected more consistently, pay people for their time and cooperation, and there will still be script kiddies or others that choose not participate in the "bounty for bugs" program, keeping the pressure on MS to 'innovate'.
Slashdot Mirror
Sounds like a variation on corporate welfare. But how about instead, Microsoft paid out the equivalent of a bounty on each newly confirmed security bug to the researcher that reported it first?
I think they could not only afford it, but it might actually spur the discovery of bugs in a more systematic manner and competition, thus providing an incentive for researchers not to share this information with parties other than the vendor.
Overall, it would get bugs detected more consistently, pay people for their time and cooperation, and there will still be script kiddies or others that choose not participate in the "bounty for bugs" program, keeping the pressure on MS to 'innovate'.