Security researchers have long criticized Microsoft for refusing to pay bounties for bugs they find in its software, a practice adopted by Google, Facebook and other tech firms. Now Redmond is taking a different approach: paying outside hackers to find new defenses, instead.
The company announced at the Black Hat security conference in Las Vegas Wednesday that it's launching the Blue Hat Prize, a contest to invent new software security defense technologies, offering $250,000 in prizes to be awarded at next year's Black Hat.
"Microsoft wants to encourage more security experts to think about ways to reduce threats to computing devices,” Katie Moussouris, a strategist for Microsoft's Security Response Center wrote in a statement to reporters. “We’re looking to collaborate with others to build solutions to tough industry problems. We believe the BlueHat Prize will encourage the world’s most talented researchers and academics to tackle key security challenges and offer them a chance to impact the world.”
In the inaugural round of the competition (see the rules here) Microsoft is challenging researchers to build a new defense against memory exploitation--essentially a way to prevent hackers from using a computer's memory to perform malicious commands. Two examples of those sorts of defenses that already exist in Windows and Mac operating systems are Data Execution Prevention, which prevents data masquerading as mere content like a number or name to be used as an executable command, and Address Space Layout Randomization, which scrambles where commands are kept in memory so that hackers can't find them to hijack them for malicious purposes.
The first prize in that competition will be $200,000, with $50,000 for the second place prize and a less thrilling free subscription to Microsoft's developer network for the third place winner. Prizes will be awarded at next year's Black Hat conference.
The contest is open to researcher outside of Microsoft or government employees. And in a canny recognition of teenagers' ability to out-think adults on many security issues, it welcomes minors as young as 14.
Microsoft has been careful to stress that it won't own the winning invention, but it claims the right to license it non-exclusively from the inventor. "We wish to share this with the rest of the world," Mossouris told reporters.
Mirosoft's security prize payout contrasts with the rest of the industry's trend towards offering cash rewards for specific vulnerabilities they find in its code. Google offers as much as $3,1337 for a single bug, (a reference to a numerical method of writing "elite" in hacker jargon) and Facebook launched a program to buy researchers' bugs for $500 apiece two days ago.
But Microsoft's Mossouris argues that researchers have never hesitated to share their findings of flaws in the company's code for free. Despite the existence of projects like HP's Tipping Point and Verisign's iDefense, both of which pay for bugs and then share them with vendors, Mossouris says 90% of Microsoft's bugs are given to the company directly by researchers without reward.
Even as it decline to pay for bugs, the company hasn't hestitated in the past to put bounties on the heads of hackers themselves, including $250,000 for the cybercriminals behind the Conficker worm and the same amount for the author of the Rustock botnet. At least in this case, it's offering a quarter-million dollar carrot along with its usual stick.
