A few weeks ago, I wrote about the Microsoft Most Valuable Professional (MVP) program in which some MVPs will be allowed restricted access to parts of Microsoft's code. I expressed doubts that such code access would have any significant effect on the security of Windows platforms.
One reader pointed out that many MVPs are talented people who do occasionally find security problems in Microsoft code. I have no idea who participates in the MVP program. I do know that a vast pool of proven programmers who understand security regularly discover bugs in code even without being able to examine source code. So I, along with others, wonder what could such people achieve if they could view source code.
You might have heard the news by now that Microsoft has put a $250,000 bounty on the heads of the person or people who unleashed the MSBlaster and Sobig worms onto the public. The bounty money is part of a $5 million fund Microsoft has launched to aid the capture of future malicious code writers. You can link to the story from the Security News and Features section below.
I expect most of you think it sounds reasonable to offer a reward, and I agree. However, I wonder why the company doesn't create a similar or larger fund to reward those who capture and correct bugs in its software? A bug bounty would benefit the public as much, or perhaps even more than the capture of a few contemptuous criminals. What better way to convert potential perpetrators (and keep honest people honest) than by putting them indirectly on the payroll by offering them bounty money to seek out security bugs in the world's most widely used code base? Microsoft's reputation and public image, its products, and public safety around the world would benefit. Many people have expressed similar sentiments in various online forums, but will such an idea ever become a reality through Microsoft--or any other software company? We'll have to wait and see.
We're conducting a new poll this week that asks the question, "Regarding Microsoft's $5 million bounty to capture and convict malicious coders, could the money be better spent?" Stop by the Windows & .NET Magazine Security Hot Topic home page and offer your answer.