Microsoft has chosen a new song to continue its public slow dance with the white hat hacking community: online properties like *.microsoft.com, *.msn.com and *.live.com.
According to Dan Goodin reporting from Toorcon Seattle, Microsoft security strategist Katie Moussouris pledged that the software vendor will not sue or press charges against ethical hackers who responsibly find–and report–vulnerabilities in its online services.
The embrace of the hackers is not entirely new–Microsoft has been addressing this issue in hacker forums–but the public offer of immunity for hackers who hunt for holes in its Web properties is seen as significant.
In a nutshell, it’s not legal to hack into Web sites–see this post by Veracode’s Chris Wysopal–and many SAAS (software as a service) companies frown on attempts to attack its servers with impunity.
But, as Microsoft’s Moussouris points out, companies should be thankful when researchers help pinpoint weaknesses in online systems.
““The philosophy here is if someone is being nice enough to point out your fly is down, they’re really doing you a favor and you should thank them rather than calling the cops and saying you’re a pervert.”“
Microsoft has set up a special Web site to acknowledge and thank hackers who report online vulnerabilities. Since July 2007, 48 hackers have been credited with finding Web site bugs.
* Photo credit: jem (Creative Commons 2.0)