Microsoft awards researcher $100,000 for sophisticated attack technique (i.e., not just finding a security flaw, but a technique that could uncover numerous security flaws). This seems to be part of a program meant to reward researchers for high-value work, namely attacks that bypass memory protection mechanisms such as DEP and ASLR.
Google is taking a similar approach, offering cash rewards to developers who fix Linux flaws.
Google is offering rewards as high as $3,133.70 for software updates that improve the security of OpenSSL, OpenSSH, BIND, and several other open-source packages that are critical to the stability of the Internet.
The rewards are smaller, but presumably many more people can fix flaws than come up with novel attack vectors. Note that Google is taking things a step further; developers should both identify a security flaw and then also provide an update so as to fix that flaw (afforded by the open source nature of Linux).
Programs like these aren’t new, but I can’t help wondering if I’m seeing more of them due to the black eye many US tech companies sustained following the Snowden/NSA leaks. In any event, if additional priority is going into IT security by some of the world’s biggest firms, that might actually be a very positive development for security in the aggregate. When IT security improves in a general sense, we are all better off (unless you work for a 3-lettered agency).