I find myself rethinking my position about "vulnerability bounties" every time a story like this one comes up: Firm Offers $10K Reward For Critical Windows Bug. I am on the fence – here’s why. On the one hand, I think all public vulnerability discovery is pointless at best and distracting (from real problems) and expensive at worst. To add insult to injury, I pretty much detest it when security vendors get involved in an attempt to gain a market advantage when it involves increasing the risk to enterprises.

However, since everyone seems intent on doing this bugfinding anyway, it is possible (even likely) that this approach is actually more beneficial than the random one we have today. The biggest reason is that it adds constraints on target (Microsoft) and time. This reduces the randomness and extent of public bugfinding to something less than infinity (I am pretty sure ). In addition, it sets a high value (compared with the alleged $4k for WMF) on the vulnerability itself that is liquid and doesn’t require breaking the law to cash in.

Of course, if I’m Microsoft, I think every vulnerability reported between now and 3/31/06 should be classified as "Critical." (That’ll teach ‘em ).

Remind me I said this, as I am sure the next time it comes up, I will have to decide all over again whether to lash out on the one hand or try to reconcile on the other…