Microsoft Offering $250,000 in Windows Security Contest
Researchers who develop new security technologies to protect Windows against exploits can be up to $200,000 richer, thanks to a BlueHat Prize contest announced by Microsoft.
The contest is open for participants now, and Microsoft will accept submissions until April 1, 2012. BlueHat is a Microsoft security conference event, but the BlueHat Prize winner will be announced at the Black Hat 2012 conference. No venue for that event appears announced yet.
Redmond will be handing out a cash prize of $200,000 for first place, $50,000 for second place and two lifetime memberships to the MSDN subscription service for third and fourth place winners. The goal is to create the best "novel runtime mitigation technology designed to prevent the exploitation of memory safety vulnerabilities."
Unlike similar security contests like Pwn2Own, which awards participants who can find vulnerabilities in specific software, Microsoft's contest will be rewarding individuals who make it harder for vulnerabilities to pop up in the first place.
"Our interest is to promote a focus on developing innovative solutions rather than discovering individual issues. We believe the BlueHat Prize can catalyse defensive efforts to help mitigate entire classes of attacks," said Matt Thomlinson, Microsoft Trustworthy Computing Group's general manager, in a released statement.
Those who have their work chosen as winners will still retain ownership of the intellectual property and will only grant Microsoft a license to use it.
Each entry will be judged based on the following criteria:
- Practicality and functionality (30 points)
- Impact (40 points)
- Robustness, or how well it holds up against attacks (40 points)
The contest is aimed at finding new Windows security technology, but it may also spur new thinking.
"This call for entries promises to stimulate research activity within the broader security community on how to mitigate entire classes of attacks rather than thinking about software security as a challenge best addressed one bug at a time," said Brad Arkin, senior director for product security and privacy at Adobe. "This research has the potential to lower costs for third-party developers and increase the level of security assurance for end users."
More information, including official rules, can be found here.