--- layout: post author: Pascal Cuoq date: 2013-06-19 19:09 +0200 categories: cybersecurity link format: xhtml title: "Microsoft's bug bounty program" summary: --- {% raw %}

I like Robert Graham's analysis on Microsoft's new bug bounty program.

I would never have thought of selling vulnerabilities to the NSA (but then I am not American and not a security researcher). Does the NSA not employ qualified people to look for vulnerabilities as their day job? Is that not like trying to sell a loaf of bread to a company whose business is to make bread?

Sometimes you have a really good loaf of bread but still… Regardless of whether the NSA already owns your particular loaf of bread and independently of the payment-by-carrot-or-stick discussion you are a competitor not a provider.

{% endraw %}