LAS VEGAS–In the face of mounting external pressure to begin paying bug bounties, Microsoft is instead launching a new program that will pay a $200,000 top prize to a security researcher who develops the most innovative defensive security technology. The program is designed to “inspire researchers to focus their talents on defensive technologies,” the company said.
Known as the Blue Hat Prize, after the company’s regular internal research conferences, the program will focus in its first year on getting researchers to design a novel runtime technology to defend against memory safety vulnerabilities. Microsoft security officials said that rather than paying for individual bugs the way that some other companies such as Google, Mozilla and others do, they wanted to encourage researchers to think about ways to defeat entire classes of bugs.
“When we looked at the various economic incentive models, the bug bounty was among them. But when we looked at what researchers were doing with the bugs they found in our products across the board, we found that there were a lot more motivations for researchers than just money,” said Katie Moussouris, senior security strategist in Microsoft’s Trustworthy Computing Group. “There’s recognition and there’s what I call the pursuit of intellectual happiness, just the act of finding these issues.”
Under the rules of the Blue Hat Prize program, any researcher 14 or older is eligible, and the researchers who win prizes will not only get the cash prize, but also will retain full intellectual property rights to the technology. The winners have to agree to license the technology to Microsoft, however.
The top prize is $200,000, with second prize paying $50,000 and third prize is a one-year MSDN subscription, which is worth $10,000. Microsoft also will fly the three winners to Black Hat next year.
Researchers have been calling for Microsoft to start a bug bounty program for several years now, and company officials has repeatedly said that Microsoft is not interested in paying for individual vulnerabilities. This new program gets around the semantics of all that by encouraging researchers to find a new way to mitigate attacks against an entire class of bugs.
“Two examples of open
problems that are suitable for consideration in this challenge are address space
information disclosures and return-oriented programming (ROP). Note that you are
not required to address these and you are not limited to these examples,” Microsoft said in the rules for the program, which are on the Blue Hat Prize site.
Entries are going to be judged by a panel of security experts from Microsoft teams, including the Microsoft Security Response Center, the Windows team and others.
Moussouris said that Microsoft was looking for a way to inspire researchers to focus their talents on defensive technologies and not just finding bugs.
“This seemed the best way for us to engage with the research community and protect customers simultaneously,” she said.