Writing software is hard, but testing software and finding bugs can be harder. That's why companies like Google and Mozilla pay upwards of a $3,000 bounty to anyone who reports a serious security bug in their browsers. Don't expect anything more than an attaboy if you find a hole in Internet Explorer, though.According to ThreatPost.com, Microsoft will not pay bug bounties to the people who find security bugs. They will, however, offer credit to them by naming them in the security bulletin when the bug fix is posted. Considering how long it can take to find security issues, some sort of monetary thank-you doesn't seem out of line. Remember that if the good guys don't find these security holes, the bad guys will. If paying a bug bounty seems expensive, consider the cost to Microsoft's reputation if these holes are exploited.

I'm not sure what Microsoft's beef is about paying someone for finding a critical bug. Are they worried that their software has so many bugs that it will bankrupt them? On the contrary, one benefit of paying a bug bounty is that it's possible to put at least one well-defined cost on a bug. That provides a stronger incentive for finding and eliminating bugs during the development process. It also brings outside expertise to bear in a way that can't be duplicated by in-house development staff.

Now if you are just dead-set on being paid for finding a bug in a Microsoft product, there is one possibility that the company holds out for you. Microsoft's Jerry Bryant says, "While we do not provide a monetary reward on a per-bug basis, like any other industry, we do recognize and honor talent. We've had several influential folks from the researcher community join our security teams as Microsoft employees." So perhaps the free work that you give to Microsoft is just your ticket to a job in Redmond. Then again, perhaps not.