LAS VEGAS -- Microsoft is warming to the idea of compensating independent security researchers, but rather than starting a bug bounty program, the software giant is offering up to $250,000 in cash rewards for innovative security technologies.
Bug bounty programs can be pretty expensive, so to encourage others to submit defensive technologies is a pretty interesting idea.
HD Moore, CSO, Rapid7 LLC
In an announcement at the Black Hat 2011 security conference, Microsoft said it would seek out new computer security protection technology via the Microsoft BlueHat Prize competition. BlueHat will reward three security researchers who design a way to prevent the use of memory safety vulnerabilities, an area the company says is its main focus.
The top three winners of the competition will earn cash prizes, which will be given out at Black Hat 2012. The first-place winner will receive $200,000, second place will earn $50,000 and third place will get an MSDN Universal subscription valued at $10,000. Contest submissions will be accepted from Aug. 3, 2011, through April 1, 2012. Entries will be judged against practicality and functionality, how easily the technology can be bypassed and the impact it will have on security.
Katie Moussouris, senior security strategist lead for the Microsoft Security Response Center, told reporters during a press briefing the submissions should help Microsoft build in new protections into Windows, as well as applications that run on the operating system.
“The prize is inspiring not just the current generation, but the next generation,” Moussouris said. “We believe the BlueHat Prize will encourage the world’s most talented researchers and academics to tackle key security challenges and offer them a chance to impact the world.”
Gary McGraw, CTO of Dulles, Va.-based software security consultancy Cigital Inc., called the BlueHat Prize a fresh approach to addressing software vulnerabilities. The contest will get the attention of security engineers rather than penetration testers, he said.
“It focuses a lot of attention on a new way of talking about the software security problem,” McGraw said. “We have a million ways to find bugs, but that’s not the problem. The problem is fixing them. They’re focusing on mitigation and fixing as opposed to finding one bug at a time.”
McGraw said the contest has one major hurdle: Whether a researcher who created a great technology will want to give it away for $200,000.
Researchers who submit entries will retain the intellectual property rights but agree to license the technology to Microsoft royalty free, according to the BlueHat contest official rules.
Microsoft currently has built-in protections to prevent malicious code from accessing memory, but security researchers in recent years have found ways to bypass those technologies. Data execution prevention forces memory to be non-executable unless it is explicitly set executable by an application. Meanwhile, Address Space Layout Randomization, another memory protection feature, prevents buffer overflow attacks by randomizing the location where system executables are loaded into memory.
HD Moore, CSO of Boston-based vulnerability management vendor Rapid7 LLC and chief architect of Metasploit, said the Microsoft award program focuses on defensive technologies, not offensive technologies. While there’s some overlap with researchers, Moore said the program won’t likely get interest from bug hunters or exploit writers. Defensive technologies don’t actually solve the problem of detecting coding errors and hidden bugs, he said.
“Bug bounty programs can be pretty expensive, so to encourage others to submit defensive technologies is a pretty interesting idea,” Moore said. “There are some people in the research community that have a strong background in this area, but I don’t think the majority of folks submitting bugs today would have any interest.”
Other security researchers expressed their support of the program, but wouldn’t predict whether it would be successful. A Black Hat attendee who declined to be identified said he didn’t think Microsoft would get a large number of submissions from independent security researchers. The time and effort that goes into creating new security technologies would be better put toward working with a security vendor or even creating a security startup, he said.
“Microsoft has a lot of money and a big group of engineers to come up with new security features themselves,” he said.