FRAMINGHAM, MASS. — Microsoft has received 20 submissions in the $268,000 contest it hopes will result in new security technologies being baked into Windows, a company security strategist said last week.
The “BlueHat Prize” contest, which debuted in August 2011, offers $200,000 as a first prize, $50,000 for second, and a subscription to Microsoft’s developer network for third place. The three winners will be flown to Las Vegas this July, when Microsoft will announce the results at the Black Hat security conference.
Microsoft collected 20 entries before the April 1 deadline, said Katie Moussouris, a senior security strategist lead at Microsoft, on a company blog yesterday.
Between now and Black Hat — which runs July 21-24 — Microsoft will evaluate the submissions and pick winners, Moussouris said.
BlueHat Prize was not a bug bounty system, where vulnerability experts are rewarded for uncovering specific flaws in software — but instead was designed to prod researchers to invent novel technologies that would protect Windows from entire classes of memory bugs.
When Microsoft rolled out BlueHat Prize last year, some experts assumed that the company was after a technology or technique to defeat or at least deflect exploits of “return-oriented programming,” or ROP vulnerabilities.
ROP bugs can be used by attackers to sidestep current Windows anti-exploit technologies like ASLR, or address space layout randomization.
All submitters — not just the winners — will retain intellectual property rights to their work, but must license their technologies to Microsoft on a royalty-free basis. Entries had to provide a prototype 2MB or smaller that ran on Windows and was developed using the Windows SDK (software developer kit).
The licensing provision makes BlueHat Prize an economical way for Microsoft to acquire new security ideas. Even if half of the entries are duplicates or simply not up to snuff, Microsoft could procure 10 technologies or techniques for under $27,000 each, or less than a quarter what Google paid two researchers last month for vulnerabilities and associated exploits in its Chrome browser.
“It’s a cheap way to pay someone else to innovate,” said Andrew Storms, director of security operations at nCircle Security, in an interview today.
“Google and others pay for vulnerabilities,” added Storms. “Microsoft has never done that. Instead they’re pay for innovation. So instead of paying someone to break their stuff, they are paying someone to make it better.”
A panel of Microsoft employees from the Microsoft Security Response Center (MSRC), the Windows group and Microsoft’s research arm will judge the entries.
In another blog last week, Moussouris said that the quantity and quality of the entries — up to at that point only 10 — had “exceeded our expectations.”
She did not name the participants, but did say that they included security researchers “with great track records,” individuals or teams from academia, and others.
From her account, most contributors worked close to the April 1 deadline: Half of the 20 total submissions were filed in the last nine days of the contest, and one squeezed in under the wire with just nine minutes to spare last Saturday.
In fact, Microsoft rejected a submission that missed the deadline by just eight minutes. Moussouris cited “fairness to the others” as well as Washington State contest rules as the reasons why the company wouldn’t bend.
Although there’s virtually no chance that anything Microsoft receives from BlueHat Prize could make it into Windows 8 — this year’s upgrade will likely reach the “release to manufacturing” milestone just weeks after the contest winners are revealed — the company could roll some of the technologies into a Windows 8 service pack next year, Storms said in a 2011 interview when BlueHat Prize debuted.
Microsoft has done something similar in the past: In mid-2004, it revamped Windows XP’s security with Service Pack 2 (SP2).