Black Hat: Microsoft offers $200,000 Blue Hat Prize for security researchers

Microsoft has announced a competition for security researchers to invent software that blocks entire classes of computer attacks, and is putting up $260,000 in cash and prizes as an incentive.

The Blue Hat Prize will be awarded to a researcher who finds a way of blocking entire classes of attacks on memory vulnerabilities in Windows, and a cash payment of $200,000 will be awarded at next year's Black Hat USA conference.

A second prize of $50,000 is available, and the third placed contestant will get a MSDN Universal subscription worth $10,000.

"This is the first and largest incentive prize ever offered by Microsoft, and possibly ever in the industry," said Katie Moussouris, senior security strategist lead for the Microsoft Security Response Center (MSRC).

"We're looking to make life more costly for criminals. The value of the prize will go beyond dollars, however. We're looking to inspire researchers from industry, academia and even hobbyists."

The entries will be judged on their practical and functional attributes, how easily they can be deployed on Windows, and how easy they would be to bypass. The judging panel will include members of MSRC, the Windows team and Microsoft Research.

"We're rewarding work on innovative solutions to mitigate entire types of attack," said Matt Thomlinson, general manager of the Trustworthy Computing Group at Microsoft.

"We considered how to inspire the security community, how to extend the state of art in this area."

The prize is also a smart financial move for Microsoft. The company will retain a royalty-free licence for the winning technology, but the researcher will own the rights and can develop it freely.

Entries are now being accepted and the contest runs until 1 April 2012. It is open to anyone over the age of 14 (minors will need parental permission), except Microsoft employees and countries under US trade embargoes.

The use of cash incentives for security researchers is legitimate, Microsoft said, but the company confirmed that it will not start a bug bounty system similar to those run by Mozilla, Google and, most recently, Facebook.

Microsoft does not have a problem with reward programmes and regularly hires penetration testing firms to test its code, but Moussouris reiterated that the prize is not just about money.

"We looked at what researchers were doing with our products and saw there were more motivations than money," she explained.

"It's one motivation, but there's also recognition within the community and the pursuit of intellectual happiness from the act of discovering these issues."