The BlueHat prize is designed to generate new ideas in exploitation mitigation technologies, said Mark Thomlinson, general manager of the Trustworthy Computing Group, in announcing the new initiative at the Black Hat security conference. It is based on the Microsoft Active Protections Program (MAPP), which is designed to encourage researchers to work on solutions that can mitigate entire classes of attack.
Prizes will be awarded to contestants who design the most effective ways to prevent the use of memory safety vulnerabilities, a focus area for Microsoft. Examples of similar security technologies include data execution prevention, which helps prevent attacks that attempt to exploit vulnerabilities in software.
The top winner will receive $200,000, second place will get $50,000, and third place will receive a subscription valued at $10,000 to MSDN Universal. Deadline for entries is April 1, 2012, and the winners will attend BlackHat 2012 on Microsoft’s dime. Applicants can be as young as 14 years old.
The BlueHat prize is the first and largest incentive price offered by Microsoft for defensive computer security technology, noted Katie Moussouris, senior security strategist for the Microsoft Security Response Center.
“Why are we doing this? Mitigation technologies are a useful area of research because they can really help protect customers from vulnerabilities in our operating systems as well as applications that run on top of them”, Moussouris said during an Aug. 3 teleconference.
The winners will retain the intellectual property to their invention and will license the technology to Microsoft under a no royalty license, she explained. “It is up to the inventors how they wish to share the technology with the rest of the world”, she added.
Microsoft judges will assess entries based on practicality, functionality, robustness, and impact, Moussouris explained.
In addition, the Microsoft Security Response Center last week released its annual progress report, which shows widespread support for coordinated vulnerability disclosure (CVD). Over the last year, 80% of the vulnerabilities reported to Microsoft used the CVD, up 20% from the previous year.
Also, Microsoft Vulnerability Research identified and disclosed 109 software vulnerabilities affecting a total of 38 software vendors, who have responded and coordinated on 97% of the vulnerabilities reported.