Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft To Pay $200k Prize For New Security Tech

Posted by samzenpus on from the making-a-little-pocket-money dept.

Trailrunner7 writes "In the face of mounting external pressure to begin paying bug bounties, Microsoft is instead launching a new program that will pay a $200,000 top prize to a security researcher who develops the most innovative defensive security technology. The program is designed to 'inspire researchers to focus their talents on defensive technologies,' the company said. Known as the Blue Hat Prize, after the company's regular internal research conferences, the program will focus in its first year on getting researchers to design a novel runtime technology to defend against memory safety vulnerabilities. Microsoft security officials said that rather than paying for individual bugs the way that some other companies such as Google, Mozilla and others do, they wanted to encourage researchers to think about ways to defeat entire classes of bugs."

12 of 111 comments (clear)

  1. It's worth a lot more than that by blair1q · · Score: 4, Insightful

    If I develop something capable of winning this prize, I'm productizing it and making Microsoft pay for EULAs for it. That'll net me a lot more than $200k just from them, and more from everyone else.

    1. Re:It's worth a lot more than that by fishybell · · Score: 2

      If I develop something capable of winning this prize, I'm productizing it and making Microsoft pay for EULAs for it. That'll net me a lot more than $200k just from them, and more from everyone else.

      The $200k is essentially the license fee for the idea to Microsoft. Not a great deal, but not a bad one either.

      You can still sell the idea (and implementations) to whomever you desire (including Microsoft if they want to buy a better implementation).

      The biggest problem I see is what happens if you win the MSDN subscription (no cash) or the $50k prize. The no money MSDN is an obvious bad deal on a potentially profitable product, and the $50k is likely a a very bad deal on a potentially profitable product. Microsoft will however likely not implement any one idea, but rather a collection of all ideas.

      You can however always rest easy knowing that their implementation of any security product will be so-so at best. If you have a great idea and a great implementation even winning the MSDN subscription will net you a profit in the long run by licensing to others. The free press is also worth an amount, even if it can't be calculated or measured.

      --
      ><));>
  2. Re:A system and method for preventing virus infect by dragon-file · · Score: 4, Funny

    Wire hooked up from the USB port delivers a 5 volt shock when user clicks on a malware site.

    I've always preferred positive over negative reinforcement.

    --
    Whenever a player quits EVE to go play WoW, the Average IQ of both games increase.
  3. "focus their talents on defensive technologies" by Anonymous Coward · · Score: 2, Interesting

    "to defend against memory safety vulnerabilities"

    Funny that they are restricting peoples talents like this. There may be better ways to defend against malware than this, which I don't think they are trying to defend against. It seems like this type of defensive vector might be more geared to DRM/TPM.

    1. Re:"focus their talents on defensive technologies" by hansraj · · Score: 3, Informative

      The only person quoted in TFA, Katie Moussouris is a senior security strategist in Microsoft's Trustworthy Computing Group. So I'd say that you might not be way off the mark here.

  4. Re:A system and method for preventing virus infect by biek · · Score: 3, Insightful

    A whoosh sound plays over the speakers.

  5. Stop using Windows by Rix · · Score: 3, Insightful

    When should I expect my cheque?

  6. Re:A system and method for preventing virus infect by Baloroth · · Score: 2

    So every time you click on a non-malware site, then.... what?

    your computer gives you an orgasm.

    Wait, don't porn sites generally have the most malware?

    --
    "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
  7. So what exactly does this entail by Riceballsan · · Score: 2

    I mean correct me if I'm wrong but it sounds like rather then actually plugging the holes that cause problems, they are looking for another antivirus equivalent to try and stop things once they fall into the holes? It sounds like a bug bounty system that doesn't want to actually involve fixing bugs.

    1. Re:So what exactly does this entail by h4rr4r · · Score: 2

      This is what you get when MBAs run a company. They don't understand the problem so instead they what people to find a magic solution and for cheap.

  8. And thus MS misses the mark again by subreality · · Score: 2

    Like antivirus, and antimalware, they're trying to provide active defenses for when code tries to do something bad. ... but they continue to ignore the fact that the best defense is to not run bad code to begin with. They're so gung-ho on making it easy for the user to do what they want to do (which is an admirable enough goal) that we have:

    • browsers that auto-install plugins
    • Mailreaders that let you run attachments with a couple clicks
    • Removable storage that auto-runs programs
    • Files that run because they're called *.exe instead of making the user contemplate for a moment the ramifications of chmod +x
    • Prompts to "allow the following program to make changes to this computer" without any useful context of the nature of the changes or their implications

    Instead they're trying to install laser-turrets to shoot down every incoming mosquito after it's already intruded into our secure zone. Sure, that's nice too, but it's not a substitute.

  9. Re:That's an innovative approach.. by erroneus · · Score: 3, Insightful

    If by innovative you mean "wrong" then yes, I agree.

    Microsoft created this beast of a problem over the years. It was a problem more than a decade ago and they let it grow in complexity and complication. They have it in their power to grow a culture of developers who are security conscious. And there have been countless opportunities for Microsoft along the way to requite their OS with security in mind and they haven't done it. Incremental improvements happened along the way and I am actually more pleased with Windows 7 than I ever expected to be. But Microsoft needs to get more serious than they are. They need to prepare themselves to piss off the advertising world by setting up Ad Block and No Script on MSIE. And if they integrate those two things along with a reputation scoring system which updates a local database of web servers which are safe and web servers which are known to be compromised, then they would have a more secure user experience.

    It's the frikken Javascript crap that's trashing users' computers left and right and they are invariably running MSIE when it happens.

    Microsoft needs to take charge on this matter, but they are clearly beholden to too many masters and their end users are the least important of them all.