Sponsor's Message

Well that's exactly what Microsoft showed they were doing last week when they put a bounty on the heads of those who write software which exploits bugs in their software.

It seems that Sheriff Bill is prepared to pay lots of money as a reward to anyone who can track down and dob-in any of those responsible for a recent spate of quite significant attacks on Microsoft software.

Although this is obviously a move designed to demonstrate to the public that Microsoft is now getting very serious about protecting the integrity of its products, I suspect it's one that will backfire badly.

Anyone with half a brain will realise that by announcing this bounty, Microsoft are effectively saying "we have a real security problem and we are incapable of addressing it from a technical perspective in any reasonable timeframe."

Now is it any wonder that people are starting to look more closely at Open Sourced software?

If Microsoft had listened to their head rather than their wallet, they might have been a whole lot better off to make a slightly different offer:

How about offering a bounty for every vulnerability uncovered by non-MS staffers?

Yes, imagine if you're a potential "evil sod" who's just discovered a great new way to bust Microsoft's code wide open and upset Windows XP. Would you prefer to:

1. write a virus to show people how clever you are and face a possible jail term if you're caught.

2. contact Microsoft with details of your discovery and pocket a handsome wad of cash for your efforts.

Despite their reputation as being ideological zealots, I think you'd find that if the financial incentive was high enough, option two would become by far and away the most common choice.

So why didn't Microsoft offer a bounty on reporting the bugs rather than those who exploit them?

Could it be that Bill's boys know that there's just so many security holes left in Windows that they could end up going bankrupt paying out on such an offer?

Or could it be that Microsoft simply doesn't understand the difference between treating the symptom of a problem and treating the cause of that problem?

Whatever the case, I doubt that many hackers will narc on their peers so it's unlikely that many of Bill's bounties will be collected. Perhaps if you hadn't already worked it out, you can now see that this bounty offer is just a giant publicity stunt on Microsoft's part.

If Microsoft were really serious about fixing up their software they'd be carrying out their promise of "trustworthy computing" and placing security ahead of new features and functions -- but clearly they're not.

Linux and other Open Source options are looking better every day, don't you think?

If any Aardvark readers want to share an opinion on today's column or add something, you're invited to chip in and have your say in The Aardvark Forums or, if you prefer, you can contact me directly.

Contacting Aardvark
I'm always happy to hear from readers, whether they're delivering brickbats, bouquets or news tip-offs. If you'd like to contact me directly, please this form. If you're happy for me to republish your comments then please be sure and select For Publication.

Other media organisations seeking more information or republication rights are also invited to contact me.

Just add a couple of lines of JavaScript to your pages and you can get a free summary of Aardvark's daily commentary -- automatically updated each and every week-day.

Aardvark also makes a summary of this daily column available via XML using the RSS format. More details can be found here.

Contact me if you decide to use either of these feeds and have any problems.

Linking Policy
Want to link to this site? Check out Aardvark's Linking Policy.

Did you tell someone else about Aardvark today? If not then do it now!