Driving Defensive Security Innovation with the BlueHat Prize

A year ago this week we extended a challenge to the security community: a challenge to be unconventional; a challenge to look beyond the norm. Rather than reward a continued focus on finding individual problems (which we all know will exist; it’s the nature of the software industry), we wanted to inspire new lines of research and incent a focus on innovative solutions that can mitigate entire classes of attacks.

We created the BlueHat Prize — a program aimed at nurturing innovation in exploit mitigations intended to address serious computer security threats. Interest by the security community was overwhelmingly positive. This was something new and different, which the industry needs to help solve hard security problems. We received 20 qualified submissions, all with unique and interesting approaches to solving challenging security issues. Proposals came from around the world and spanned the entire industry from the research community to academia. The finalists all chose to create mitigations that prevent Return Oriented Programming (ROP) exploits from succeeding. This is an area where we’re seeing a lot of attacks lately, so it’s encouraging to see a collective focus here.

Last month, we narrowed down those submissions to three finalists who will be awarded more than $250,000 in cash and prizes at our Black Hat Researcher Appreciation Party on Thursday night. At Microsoft, we’re committed to improving computer security and the online experience for all of our customers. We’ve collaborated with many of the thousands of brilliant security researchers across the globe over the years, and they’ve helped us improve the security of our products and services. The BlueHat Prize is just one area where our defensive thinking has led to better protections. The prize has gone from an announcement to real protection for customers within a single calendar year. Working together across the security community and IT ecosystem can help make the journey safer for all.


About the Author

Director, Trustworthy Computing