It's funny you know, I didn't think Microsoft paid hackers and I use the term hackers loosely, for finding security holes but in a turn of events Microsoft is offering a bounty on the hackers responsible for Conficker worm.
Microsoft offer a bounty to find the culprits and yet they do not offer a reward for those who find and prove to Microsoft the existence of current security holes before releasing that information to the hacker community.
Let me play Devil's Advocate for a moment, if you will. Try to put yourself in the hackers mind. You're a programmer, you cannot get work as some areas of the market are saturated. You end up in some low skilled, low responsibility, low paid job and don't get to satisfy your mind. You've probably also got a lot more time on your hands after work. There's no financial reward from Microsoft for finding security holes and writing a patch or at least informing Microsoft before things hit the fan so what is left for them to do? Well of course they could still inform Microsoft...it is the right thing to do. Then let me ask you this, why is there an ever increasing amount of cyber crime?
It's simple Microsoft, if you were offering good money for discovery and proof of these security holes without leaking to the media or hacker community you might find a decrease in these threats. I doubt it would remove them completely, but the guy at the hacker level in the whole global cyber crime syndicate might change alliances if it were worth their while.
You win! I ROCK!
Good night Seattle.