BlueHat Prize: A new twist on security research incentives

Guest editorial by Matt Thomlinson

This time of year the security researcher community descends on Las Vegas for the annual Black Hat security conference. I look forward to Black Hat each year because it’s such a great scene — there’s something special in the way people come together and openly collaborate on security topics. I also get to show my appreciation to the security researchers who coordinate vulnerability disclosures with us, and it’s a natural time to report back to the community on the previous fiscal year’s activities.

On Monday, we released our annual Microsoft Security Response Center (MSRC) Progress Report. In it are some pretty amazing results. For example, we see widespread support for Coordinated Vulnerability Disclosure (CVD), with nearly 80 percent of vulnerabilities reported to us using CVD, up from 60 percent two years ago.

This year we enhanced our bulletin “Exploitability Index” by breaking out exploitability by platform version, with some interesting results. When we look back at the vulnerabilities addressed by security updates from July 2010 through May 2011, we find newer platforms were either less exploitable or not exploitable at all 37 percent of the time. We also introduced third-party advisories through the Microsoft Vulnerability Research (MSVR) program, and since July 2010, we’ve identified 109 different software vulnerabilities and coordinated with the affected companies to get them addressed.

[ Microsoft to hackers: Cash for exploit mitigation inventions ]

The progress report also highlights our work to coordinate exploit protections through the Microsoft Active Protections Program (MAPP). Since its inception, the program has grown to include 84 protection partners. Last year, Adobe Systems Inc. joined the program to share its product vulnerability information with MAPP partners in order to provide protections to more than 1 billion of our shared customers around the world. Since joining the MAPP program Adobe has shared information on 14 of its security updates. Feedback from this global network of defenders has been tremendous, and partners have told us that the program allows them to deliver protection technology to their customers as much as 75 percent faster than before joining MAPP.

In my role I talk to customers quite often about their concerns; we even recently hosted meetings in Redmond, Wash., with the chief security officers of some of the world’s largest companies to gather their feedback. I hear very clearly that they value our security engineering work to build more resilient products, and when security issues arise, Microsoft Corp.’s security response capability is top-notch. In addition, I get a lot of positive feedback around our outreach and partnership efforts such as MAPP. MAPP was an unconventional approach to a tough security challenge, and it is gratifying to see it foster industry collaboration for the common good of customers.

Looking at the success of MAPP got us thinking about how we might be able to do something similar for the security research community. With so many brilliant security researchers out there, we wanted to inspire research in areas that have the greatest impact and leverage in helping protect customers. We wa

nted to look beyond standard bug bounty programs and reward work on innovative solutions that can mitigate entire classes of attacks. Microsoft’s own research in the area of mitigation technology is a primary example of this — we’ve built such technologies as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) and many others into the platform to help defend your computer from attack even when a vulnerability exists. Although we continue to develop new ideas — for example, the Enhanced Mitigations Experience Toolkit (EMET) — we wanted to come up with a way to work with the community to extend state-of-the-art research in mitigation technologies.

The BlueHat Prize is Microsoft’s answer: an innovative contest to inspire collaboration on one of the security industry’s most pressing challenges.

For this contest, we are seeking innovations in runtime mitigation technologies. What do you think is the next DEP or ASLR? If you have an idea, you could be the winner of the Microsoft BlueHat Prize: More than $250,000 in cash and prizes will be awarded to the winners, with a $200,000 grand prize. We value the effort necessary to develop these mitigations, and are optimistic that $200,000 will provide inspiration for researchers to make the commitment. Contest details are at http://www.bluehatprize.com.

Microsoft is committed to improving computer security and the online experience, whether it’s through our own security science and engineering investments, creating information-sharing programs with security protection providers to help protect more than 1 billion computer systems worldwide, or strong relationships with the security research community. We’ve already seen a lot of excitement around the contest and have received positive feedback from customers, industry partners and security researchers. We hope the effect of the BlueHat Prize is to provide a new focus on, and significant advances in, security defense technologies that benefit everyone.

* Matt Thomlinson is general manager in Microsoft's Trustworthy Computing Group.