Microsoft to pay $250,000 for hot new security defenses

In search of new ideas

Microsoft is offering more than $250,000 to researchers who develop new security defenses to protect Windows users against attacks that exploit software bugs.

Microsoft's Blue Hat Prize announced on Wednesday at the Black Hat security conference will pay $200,000 for the best “novel runtime mitigation technology designed to prevent the exploitation of memory safety vulnerabilities.” The two runners up will receive $50,000 and a MSDN Universal subscription valued at $10,000, respectively.

“The Microsoft BlueHat Prize contest is designed to generate new ideas for defensive approaches to support computer security,” the software maker's announcement stated. “As part of our commitment to a more secure computing experience, we hope to inspire security researchers to develop innovative solutions intended to address serious security threats.”

Microsoft over the years has added an alphabet soup of protections to its software that are designed to mitigate the damage that can be done when hackers discover buffer overflows and other bugs that inevitably afflict any complex piece of code. ASLR, or address space layout randomization; DEP, or data execution prevention; SEHOP, or structured exception handling overwrite protection; and SafeSeh are just some of the examples.

The protections aren't intended to prevent bugs, but rather to prevent attackers from exploiting them to steal data or remotely execute malicious code on vulnerable systems.

“This is the first and largest incentive prize ever offered by Microsoft, and possibly the industry, for defensive computer security technology,” Matt Thomlinson, general manager of Microsoft’s Trustworthy Computing Group, wrote here. “In the age of increased risk of attacks on personal, corporate and government computer systems, Microsoft recognizes the need to encourage and nurture innovation in the area of exploit mitigations.

Wednesday's announcement came a week after Facebook joined Mozilla and Google in paying cash bounties to researchers who privately report security vulnerabilities in their software and services. Microsoft continues to steadfastly refuse to reimburse bug discoverers for the time and expertise they provide in helping stamp out bugs on the Windows platform.

Contest rules are here. ®

Sponsored: How to determine if cloud backup is right for your servers