Mike Reavey, director of Microsoft’s Security Response Center, says Microsoft wants the researchers to report flaws without fear of repercussions. “We take security very seriously; our focus is to put customer safety first,” Mr. Reavey said. “We realize we can’t do this alone, which is why we want to partner with the research community.”

Dino A. Dai Zovi, a prominent white hat computer security expert at Trail of Bits, a New York security firm, said he liked to work with companies.

“If you find something new not only are you protecting people that use a system, but there’s the excitement and thrill of finding something new that no one else knows about,” Mr. Dai Zovi said.

He is also motivated by the money available to the bug hunters, as they are also known. In 2006 he won $10,000 at a major white hat competition sponsored by Tipping Point, a security company, by breaking into an Apple laptop through a vulnerability in the Safari Web browser and video player. Mozilla, the maker of the Firefox Web browser, and Google both announced last week that they would begin paying for new bug discoveries, too.

Gray hats may bask in the recognition, but some can also seek to make money from an exploit. One of the gray hats, a security researcher based in Singapore who would not share his real name and goes by the online pseudonym The Grugq, chooses not to tell companies about the bugs he finds, he said via instant message. Telling Microsoft about a loophole earns only a “gold star,” The Grugq said.

Hackers can sell or trade the flaws they uncover in what is called the bug market, until the company plugs the hole and renders it worthless. “The people actively using the bugs get very upset when they die,” wrote The Grugq. Some bugs can sell for as much as $75,000 online.