Reward or Punishment ?

I was thinking just the other day about how Microsoft pays bounties for information that leads to the successful prosecution of hackers and virus writers.  Although a useful approach it’s a reactive one, not a pro-active one.  And I thought, gee wouldn’t it be better if MS had a reward based scheme for people finding hacks and letting them know. Well looks like the open source people read my mind and also beat MS to the punch.  Linspire and Mozilla now offer a bounty for bugs.

For Microsoft, considering the recent events where it took them something like eight weeks to patch the cross zone exploitation, and nearly a year to decide that ADODB stream was not a safe implementation, then you would think they would try to take a pro-active approach.  Problem is, that would mean Microsoft would have to release the source code.  These days considering all the patents they have in place, hardly seems like there is legitimate reason not too J

But that kind of ideology change in Microsoft would probably take years.  Perhaps a better approach would be if they out-sourced it.  That way they could control who sees the source, while keeping costs down.  They could have the contract bounty based, with both rewards and punishments.   One thing is for sure, Microsoft’s inability to fix internet explorer in a timely manner highlights the need for the ship to change the way it sails.