"Obviously if Microsoft offered more than the black-market prices, everyone would just sell their exploits to them."
Yes, however from a business orientated viewpoint this portrays the company having its balls in the hands of 'outsiders'. As a smart 'enterprisingly minded' human being would you buy software from a company which you plan to deploy on thousands of machines, if you knew that some of the security testing and possible patch submissions on it may have been handled by x-cons/hackers/crackers/stfu/criminals/etc.
I am not saying it would be substandard, but I think that a lot of people would feel something intuitively wrong with that. In a lot of ways it's like saying you got a friends friend who is a robber to test out your alarm for you.
However, at the same time, as pointed out "The people they would be paying money to are not criminals or bad people, they're legitimate researchers who just can't afford to do work for Microsoft for free when they could be doing something else for money."
Yes, there is a lot of legitimate security researchers out there, but let's say the CashPerExploit deal was introduced. Do you not think there would be an adequate amount of better trained 'nefariously minded' exploit finders? One bad apple fucks up the box. If companies got the impression that there is a possibility their software supplier uses such people, I think their confidence in the company would loosen.
But having said that, once it becomes a business enough people might get 'trained up' quickly.
I work for a company who uses a variety of Microsoft Technologies deployed over quite a few machines. Not hundreds, or thousands, just a tad higher! You'd be surprised at how relaxed they are about security, but me, I am generally just paranoid anyway. This is the first experience I have had in an 'enterprise environment', but all of the above is just me suspecting that other companies have a different corporate strategy to their security. I must say, for how successful they are, they really do believe in solely using M$ products, and products developed by companies who have good relations with M$.
I don't know, maybe it's like being with a gang of people. You're either on the FSF's land or somewhere in Redmond. A sense of security fostered by a recorded long term relationship of software development companies. Maybe it's less about the company, and more about consistency derived from their strong relationship. Patches each month, deployment Friday, etc... A big corporate bureaucratic machine survives on things like this, a bit like the x86 idea, make it simple, and make it fast/reliable. Hah, I'm laughing too....
"Deco, ya stallin' it up to mouseys gaff? We'll get mad ourra'vih!"
The first time, it's a KLUDGE! The second, a trick. Later, it's a well-established technique! -- Mike Broido, Intermetrics