Microsoft encourages researchers to hack

Security researchers are free to investigate Microsoft's online services for security bugs, without fear of prosecution -- as long as they submit the bugs they find "responsibly" to Microsoft, the company said this week.

What's more, this policy has been in place at least since July 2007, Microsoft said, although it appears to be news to most researchers.

The immunity from prosecution for such research is a significant issue, as even legitimate security researchers are in danger of prosecution if they report flaws they've found on third-party online services.

However, Microsoft said this week it wants to encourage legitimate researchers to carry out their work, and is willing to stand by its policy of not suing them, as long as disclosure is carried out in a way that doesn't pose a danger to users.

"Because we will not pursue legal action against researchers who report vulnerabilities to us responsibly, we hope to encourage those who want to help us protect customers to feel free to do so without fear of repercussions," said Microsoft security response communication manager Bill Sisk, in a statement provided to journalists. "As we have done for many years, we continue to work closely with security researchers and encourage responsible disclosure of vulnerabilities in our products as well as for online services."

Sisk pointed to a company Website -- part of the Microsoft Security Response Center (MSRC) -- set up in July 2007 expressly to credit researchers who responsibly disclose bugs in Microsoft online services.

In its FAQ, the site states that "Microsoft will not pursue legal action against security researchers that responsibly submit potential online services security vulnerabilities."