Microsoft Offers Prize Money For Enhancing Windows Security
BlueHat Prize contest focused on new ways to defend against memory-safety exploits.
Black Hat
Microsoft took a new spin on security researcher bounties by offering more than $250,000 in cash and prizes for contestants who come with new ways to mitigate exploits.
The new BlueHat Prize contest specifically looks for the most innovative methods for exploiting memory-safety vulnerabilities such as return-oriented programming (ROP) and just-in-time spraying (JITSpray). The grand prize is $200,000; second place, $50,000; and third place, an MSDN Universal subscription valued at $10,000. JIT spraying attacks basically are used to cheat Microsoft's address space layout randomization (ASLR) and data execution prevention (DEP) security technologies.
"Microsoft wants to defend against entire classes of attack with the innovation that comes via the BlueHat Prize," Katie Moussouris, senior security strategist lead for the Microsoft Security Response Center, said in a Twitter interview with Dark Reading. "The BlueHat Prize is looking for mitigations to block memory safety exploitation techniques such as ROP or JITSpray."
Unlike bug bounty programs offered by Google and other vendors, Microsoft instead is looking at getting researchers involved in providing solutions, security experts said.
The software giant traditionally has been opposed to offering money to researchers for vulnerability finds, but Moussouris didn't completely dismiss the possibility of Microsoft someday changing its tune on that. "We continue to evaluate the best way to collaborate with the research community, and we'll let you know if anything changes there," she said when asked whether Microsoft would ever add a bug bounty option.
What happens to the winners' technology? The inventor retains ownership of the intellectual property, and then grants Microsoft a license to the technology; researchers whose technology is not selected by Microsoft also still own their intellectual property.
The BlueHat Prize contest kicked off Wednesday, with a submission deadline of April 1, 2012. A panel of Microsoft security engineers will judge the technologies based on practicality and functionality (30%); robustness (30%); and impact (40%).
Read the rest of this article on Dark Reading.
Read our report on how to guard your systems from a SQL attack. Download the report now. (Free registration required.)
About the Author
You May Also Like
Cybersecurity Day: How to Automate Security Analytics with AI and ML
Dec 17, 2024The Dirt on ROT Data
Dec 18, 2024