Microsoft has received 20 submissions in the $268,000 contest it hopes will result in new security technologies being baked into Windows, a company security strategist said this week.
The "BlueHat Prize" contest, which debuted in August 2011, offers $200,000 as a first prize, $50,000 for second, and a subscription to Microsoft's developer network for third place. The three winners will be flown to Las Vegas this July, when Microsoft will announce the results at the Black Hat security conference.
[ Windows 8 is coming, and InfoWorld can help you get ready with the Windows 8 Deep Dive PDF special report, which explains Microsoft's bold new direction for Windows, the new Metro interface for tablet and desktop apps, the transition from Windows 7, and more. | Stay abreast of key Microsoft technologies in our Technology: Microsoft newsletter. ]
Microsoft collected 20 entries before the April 1 deadline, said Katie Moussouris, a senior security strategist lead at Microsoft, on a company blog.
Between now and Black Hat -- which runs July 21-24 -- Microsoft will evaluate the submissions and pick winners, Moussouris said.
BlueHat Prize was not a bug bounty system, where vulnerability experts are rewarded for uncovering specific flaws in software -- but instead was designed to prod researchers to invent novel technologies that would protect Windows from entire classes of memory bugs.
When Microsoft rolled out BlueHat Prize last year, some experts assumed that the company was after a technology or technique to defeat or at least deflect exploits of "return-oriented programming," or ROP vulnerabilities.
ROP bugs can be used by attackers to sidestep current Windows anti-exploit technologies like ASLR, or address space layout randomization.
All submitters -- not just the winners -- will retain intellectual property rights to their work, but must license their technologies to Microsoft on a royalty-free basis. Entries had to provide a prototype 2MB or smaller that ran on Windows and was developed using the Windows SDK (software developer kit).
The licensing provision makes BlueHat Prize an economical way for Microsoft to acquire new security ideas. Even if half of the entries are duplicates or simply not up to snuff, Microsoft could procure 10 technologies or techniques for under $27,000 each, or less than a quarter what Google paid two researchers last month for vulnerabilities and associated exploits in its Chrome browser.
"It's a cheap way to pay someone else to innovate," said Andrew Storms, director of security operations at nCircle Security, in an interview today.
"Google and others pay for vulnerabilities," added Storms. "Microsoft has never done that. Instead they're pay for innovation. So instead of paying someone to break their stuff, they are paying someone to make it better."
A panel of Microsoft employees from the Microsoft Security Response Center (MSRC), the Windows group and Microsoft's research arm will judge the entries.