Microsoft has ruled out paying security researchers bounties for exploits, as practised by other industry firms.

Speaking to vnunet.com at Infosecurity 2007 Microsoft chief security advisor Roger Halbheer ruled out making payments to researchers who discover vulnerabilities.

Instead the company wants to work with security researchers and credit them in monthly updates.

"I do not think paying is a healthy idea," he said. "We run a researcher conference at Redmond, called Bluehat, and once researchers see how we work they will start to trust us. After all, we are not lazy over fixes, but patches are very complex to develop."

Halbheer explained that it can sometimes take several hundred days to build a patch, in part because of a long testing process. For example, a patch for the IE browser has to go through over 400 tests before being released.

Microsoft has not been averse to using bounties before in specific circumstances. Three years ago it offered a $250,000 bounty for the author of the MyDoom worm, and Mozilla offers $500 and a free T-shirt for each vulnerability found.

Others in the industry also use the tactic. The US Federal Trade Commission has suggested bounties of up to $250,000 for information leading to the conviction of spammers.

Security research companies Tipping Point and iDefence also use the tactic.