Security News > 2020 > August > Microsoft forked out $13.7m in bug bounties. The reward program's architect thinks the money could be better spent

Microsoft forked out $13.7m in bug bounties. The reward program's architect thinks the money could be better spent
2020-08-04 23:43

While the payouts are a nice figure for Microsoft to throw out there when talking up its bug bounty program, they may not be an indicator of healthy long-term security priorities.

Katie Moussouris, once the architect of Redmond's bug-bounty program and now the CEO of Luta Security, fears there's a growing over-emphasis on external bug rewards - rewards for outside experts finding holes in software after it is released to the public - as opposed to investment in staff and resources to limit the release of buggy code in the first place.

"While I love the expansion of what is in scope for the Microsoft Bug bounty programs, I'm concerned that the dollar amounts are creeping into perverse incentive territory," Moussouris told The Register.

The venerable Ms. Mo, who in addition to Microsoft also helped set up the bug bounty program for the US Department of Defense, has in recent years become less of an advocate for bug pay-offs and more for dedicated security departments that can triage and patch the bugs.

"What companies should do before ever considering even a small bug bounty is assess their internal capabilities for preventing, finding, and fixing security bugs. Internal investments in hiring more skilled security people in-house, using better tools, and mandating a secure development lifecycle has a much higher return-on-investment than letting the public do the bug detection work for you after." .


News URL

https://go.theregister.com/feed/www.theregister.com/2020/08/04/microsoft_137_bug_bounties/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 701 838 4677 4339 3722 13576