Microsoft acquires 20 new Windows security ideas for $13,400 each
$268,000 BlueHat Prize contest 'cheap way to get someone else to innovate,' says expert
Computerworld - Microsoft has received 20 submissions in the $268,000 contest it hopes will result in new security technologies being baked into Windows, a company security strategist said Tuesday.
The "BlueHat Prize" contest, which debuted in August 2011, offers $200,000 as a first prize, $50,000 for second, and a subscription to Microsoft's developer network for third place. The three winners will be flown to Las Vegas this July, when Microsoft will announce the results at the Black Hat security conference.
Microsoft collected 20 entries before the April 1 deadline, said Katie Moussouris, a senior security strategist lead at Microsoft, on a company blog yesterday.
Between now and Black Hat -- which runs July 21-24 -- Microsoft will evaluate the submissions and pick winners, Moussouris said.
BlueHat Prize was not a bug bounty system, where vulnerability experts are rewarded for uncovering specific flaws in software -- but instead was designed to prod researchers to invent novel technologies that would protect Windows from entire classes of memory bugs.
When Microsoft rolled out BlueHat Prize last year, some experts assumed that the company was after a technology or technique to defeat or at least deflect exploits of "return-oriented programming," or ROP vulnerabilities.
ROP bugs can be used by attackers to sidestep current Windows anti-exploit technologies like ASLR, or address space layout randomization.
All submitters -- not just the winners -- will retain intellectual property rights to their work, but must license their technologies to Microsoft on a royalty-free basis. Entries had to provide a prototype 2MB or smaller that ran on Windows and was developed using the Windows SDK (software developer kit).
The licensing provision makes BlueHat Prize an economical way for Microsoft to acquire new security ideas. Even if half of the entries are duplicates or simply not up to snuff, Microsoft could procure 10 technologies or techniques for under $27,000 each, or less than a quarter what Google paid two researchers last month for vulnerabilities and associated exploits in its Chrome browser.
"It's a cheap way to pay someone else to innovate," said Andrew Storms, director of security operations at nCircle Security, in an interview today.
"Google and others pay for vulnerabilities," added Storms. "Microsoft has never done that. Instead they're pay for innovation. So instead of paying someone to break their stuff, they are paying someone to make it better."
A panel of Microsoft employees from the Microsoft Security Response Center (MSRC), the Windows group and Microsoft's research arm will judge the entries.
In another blog last week, Moussouris said that the quantity and quality of the entries -- up to at that point only 10 -- had "exceeded our expectations."
She did not name the participants, but did say that they included security researchers "with great track records," individuals or teams from academia, and others.
From her account, most contributors worked close to the April 1 deadline: Half of the 20 total submissions were filed in the last nine days of the contest, and one squeezed in under the wire with just nine minutes to spare last Saturday.
In fact, Microsoft rejected a submission that missed the deadline by just eight minutes. Moussouris cited "fairness to the others" as well as Washington State contest rules as the reasons why the company wouldn't bend.
Although there's virtually no chance that anything Microsoft receives from BlueHat Prize could make it into Windows 8 -- this year's upgrade will likely reach the "release to manufacturing" milestone just weeks after the contest winners are revealed -- the company could roll some of the technologies into a Windows 8 service pack next year, Storms said in a 2011 interview when BlueHat Prize debuted.
Microsoft has done something similar in the past: In mid-2004, it revamped Windows XP's security with Service Pack 2 (SP2).
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts