X

Microsoft offers $250,000 for security defense research

Redmond still says no to bug bounties, but offers a $200,000 first prize and $50,000 second prize instead for research in security defense.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
See full bio
Elinor Mills
2 min read
 
Katie Moussouris, head of Microsoft's Security Community Outreach and Strategy team, announces the Microsoft BlueHat Prize for security defense research.
Katie Moussouris, head of Microsoft's Security Community Outreach and Strategy team, announces the Microsoft BlueHat Prize for security defense research. Microsoft TechNet

LAS VEGAS--Microsoft today announced that it will give out $250,000 in BlueHat Prize rewards for innovative research on computer security defense.

Winners will be announced at next year's Black Hat security conference, with the grand prize being $200,000 and second prize being $50,000, Katie Moussouris, head of Microsoft's Security Community Outreach and Strategy team, said in a conference call from the conference being held here.

Researchers will own the intellectual property from their inventions and Microsoft will be able to use the technology under a royalty-free license, she said.

"This is a new program to inspire security researchers to focus on security defense technologies," she said. The initiative features more than $250,000 in cash and prizes "for original ideas to protect customers."

"The inaugural Microsoft BlueHat Prize contest challenges security researchers to design a novel runtime mitigation technology designed to prevent the exploitation of memory safety vulnerabilities," like buffer overflows and dangling pointers that deal with random-access memory (RAM), the Microsoft BlueHat Prize Web site says.

Microsoft employees are ineligible and participants have to be 14 years or older. Contestants have until April 1, 2012, to submit their work.

Unlike Mozilla, Google and now Facebook, which offer bug bounty programs, and TippingPoint's Zero Day Initiative, which offers top dollar for bugs discovered in Microsoft software, Microsoft does not pay vulnerability researchers when they report bugs. Moussouris said the company is sticking with that policy.

"There are a lot more motivations for vulnerability research on our products than just money," she said, including public recognition and the "pursuit of intellectual happiness."

"Even though there is an existing legitimate market for individual vulnerabilities...the researchers who find vulnerabilities in Microsoft products tend to come straight to us and forgo some of those individual reward programs," Moussouris said. "We respect the researchers' rights to make a living off their research."