Microsoft's bug bounty program

Pascal Cuoq - 19th Jun 2013

I like Robert Graham's analysis on Microsoft's new bug bounty program.

I would never have thought of selling vulnerabilities to the NSA (but then I am not American and not a security researcher). Does the NSA not employ qualified people to look for vulnerabilities as their day job? Is that not like trying to sell a loaf of bread to a company whose business is to make bread?

Sometimes you have a really good loaf of bread but still… Regardless of whether the NSA already owns your particular loaf of bread and independently of the payment-by-carrot-or-stick discussion you are a competitor not a provider.

Pascal Cuoq
19th Jun 2013