14 DAY TRIAL // Following announcements from various sources related to financial transactions involving vulnerabilities in Microsoft's software products, I asked Stephen Toulouse, senior program manager for the Trustworthy Computing Group what were Microsoft's plans in this aspect.
The most illustrative examples of late are those provided by Trend Micro's chief technology officer, Raimund and by VeriSign's iDefense Labs. Genes revealed that on the black market, a critical zero-day vulnerability in Windows Vista goes as high as $50,000.
And VeriSign's iDefense Labs has announced the Quarterly Vulnerability Challenge, offering from $8,000 to $12,000 for vulnerabilities in Windows Vista and Internet Explorer 7 together with functional exploit code. In this context, I asked Toulouse for Microsoft's official position in relation to the commerce with vulnerabilities affecting its products.
"We're certainly aware of companies offering compensation for information regarding security vulnerabilities. Microsoft does not offer compensation for information regarding security vulnerabilities and does not encourage that practice. Our policy is to credit security researchers who report vulnerabilities to us in a responsible manner," Toulouse explained.
Of course that, since the moment was opportune, I also asked Toulouse if Microsoft is considering becoming a player on the market that trades vulnerabilities to its products. But Toulouse denied any possibility of a Windows Vulnerabilities Marketplace initiative.
"As I mentioned, Microsoft does not offer compensation for information regarding security vulnerabilities. Our policy is to credit finders who report vulnerabilities to us in a responsible manner. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the update is being developed," he added.