It wouldn't be the first time Microsoft has screwed over independent security researchers. There's a Twitter thread of a researcher who was accepted into the Azure bounty program, found a lot of important zeroday vulnerabilities, and was paid nothing. In fact he expected to be paid for his findings, and then had trouble with his basic living expenses. Anyone who has worked with bug bounties should know to stay far away from them since you can't get assurance you'll be paid (and companies are not incentivized to pay security researchers).
One thing I don’t understand is why security folks still bother with public bounty programs, when I hear that the market for software reviews is massive and very profitable. Is there a gap in the market for something that can matchmake skilled people with companies at reasonable rates...?
Most of us don't bother with bounties anymore. There are a lot of types of software review so I'm not quite sure which one you're referring to. If you're talking about matchmaking for pentests then you're essentially describing a bounty program, the only difference is that bounty programs don't pay researchers for their time. If you're referring to blog/publications on security then this is the first time I've heard of that market.
I’m thinking of security-oriented code-reviews of various enterprise software. One of my old clients commissioned some last year over a piece of work I made, and apparently they had to go “to hell and back” to source a reputable (and very expensive) reviewer somewhere in California, while I’m sure there must be plenty of UK talent available. They then had someone else pentest it as a blackbox, which is definitely easier to source locally, although the quality can be very variable. I understand it is a very sensitive area, maybe it needs some sort of professional body to provide accreditation and self-regulate and promote reputable members, I don’t know.
I think bounties are an unbalanced system; as you say, pentesters don’t get paid for their time and often don’t get paid at all, like in this case. There must be a better way, where an independent third-party can judge actual severity of the hole and sanction payments.
This is a bit of a guess since this kind of security research is but a hobby to me, but if with reviews you cannot publicly post your results after they're fixed, the best way to build a portfolio would be public bounty programs. And without a good portfolio, you don't get hired for reviews.
