Microsoft baits trap with $100K in hunt for new exploit techniques

Puts money where its mouth is, say security experts, to make Windows ecosystem more secure

1 2 Page 2
Page 2 of 2

Two of the top three finalists of the BlueHat Prize, including the first-place winner who took home $200,000, were academic researchers.

"What I like about [the Mitigation Bypass Bounty] is that it has the potential to help other software," said Wysopal. "This type of program certainly helps [Microsoft] but they've had an ecosystem-wide approach," he added, referring to the company's multiple attempts to assist other Windows developers secure their products. "I would hope that they would share any information to help other vendors write to the Windows platform."

Wysopal wondered, however, if the $100,000 was enough.

"If someone tried selling [a novel exploit technique], they could make a lot more money than that," Wysopal said. "On the other hand, it's more work to create all those individual zero-day exploits, then market them. So some people will go for [Microsoft's reward]."

But because Microsoft expects winning bypass submissions to also include an accompanying entry for the $50,000 BlueHat Bonus, the total may be closer to $150,000. "In practical terms, [BlueHat Bonus] ideas will come from the same researcher who submitted a Mitigation Bypass," said Moussouris.

Storms expected that Microsoft would integrate the results of both award programs into future versions of Windows, or at the least, incorporate some of the defensive techniques it receives into EMET (Enhanced Mitigation Experience Toolkit), as it did with at least one of the BlueHat Prize finalists' technology.

"I think [Mitigation Bypass] may have been spurred by Pwn2Own at CanSecWest this year," Storms added, talking about the March hacking contest where Microsoft's Internet Explorer was exploited by a team from the French vulnerability broker Vupen. "The tools used by Vupen to bypass [Windows' and] IE's mitigations were novel, and there was talk that Vupen handed those tools to Microsoft. But if they did, it meant [Vupen] had something much better."

Knowing that, Storms speculated, got Microsoft thinking about how to shake loose exploit techniques it had not yet heard of or seen used in the wild. "I think they said, 'There's a lot we don't know, but let's see if we can nip [new techniques] now instead of hackers using them in public exploits.'"

The BlueHat Bonus and Mitigation Bypass Bounty programs are open-ended, but apply only to Windows 8.1. Microsoft has published submission guidelines on its website, as well as an FAQ on the rewards.

This article, Microsoft baits trap with $100K in hunt for new exploit techniques, was originally published at

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at  @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is

See more by Gregg Keizer on

Copyright © 2013 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Shop Tech Products at Amazon