icrosoft said yesterday that it was putting a bounty on the heads of virus writers.
At a news conference in Washington including national and international law enforcement officials, Microsoft announced a $5 million antivirus reward program to encourage tipsters, with initial rewards of $250,000 for evidence leading to the capture and conviction of the original authors of the MSBlast and SoBig programs, which plagued Internet users this year.
"Those who release viruses on the Internet are the saboteurs of cyberspace," said Brad Smith, the company's senior vice president and general counsel, "and Microsoft wants to help the authorities catch them."
Microsoft's products are often the targets of virus writers and hackers, in part because the software is so popular that so-called malware can have a big impact, and in part because the company is despised in many cyberspace neighborhoods.
The response among security specialists to the Wild West-style initiative was generally positive, but with a smile. "Wanted - dead or alive!" joked Patrick Gray, director of emergency response services for Internet Security Systems, a company based in Atlanta. "We're going back hundreds of years now."
But like many other security professionals, he applauded the move, saying, "I love it."
Others expressed skepticism. "Why don't they pay people to fix the vulnerability, rather than pay for people to go to jail for exploiting them?" asked Mark Rasch, chief security counsel at Solutionary Inc., a security company based in Omaha, Neb. "Doesn't that sound desperate?"
A Microsoft official called that view unfair. "We spend a large amount of money and spend great efforts to increase the security of our software and our services," said Philip Reitinger, Microsoft's senior security strategist, who said the company's "trustworthy computing initiative" includes extensive training for programmers and vulnerability testing of new code. Mr. Reitinger, who worked for the Justice Department on computer crime before joining Microsoft, said, "it's still very hard to catch people online."
Two men have been arrested and charged with writing variants of MSBlast, also known as blaster, but the original author remains unknown.
The bounty, Mr. Reitinger said, will "encourage people to do the right thing" and contact the company about something they might have read in an online chat or heard from a bragging colleague.
The hope is that there will be no honor among hackers, and that an amount of money that is probably less than Microsoft spends annually on paper clips will be a big motivator to tattle in the computer underworld, security specialists said.
"It will probably be easier to get a $250,000 reward than to break into some company's network," collect credit card numbers and commit identity theft, said Mr. Gray of Internet Security Systems. "It's much less work."
