From Bounties to the BlueHat Prize – Evolutionary Thinking in Valuing Security Research


Katie Moussouris

Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

Cool vulns, BlueHat, soldering irons, quantum teleportation

Rudeness, socks-n-sandals, licorice

Today on the MSRC blog, Matt Thomlinson announced the BlueHat Prize, the first and largest incentive prize Microsoft has ever offered to seek out and reward new ideas in computer security defense.  While you can get the details of the contest on the new program’s website, I’m going to talk about some of the factors that went into the making of the BlueHat Prize, and why we think defensive security technology is a crucial place for vendors like Microsoft to invest.

Microsoft decided to offer large cash awards for innovations in runtime mitigation technology (a $200,000 grand prize, followed by a $50,000 second prize), both to acknowledge the value of defensive security work, as well as to encourage more security experts to start thinking about mitigations.

Select organizations have offered small cash rewards to security researchers who found and reported security vulnerabilities in their products. As more vendors began offering bug bounties for individual vulnerabilities in their products, many people speculated that Microsoft would follow the trend. Before considering such an approach , we conducted an analysis of the data we have relative to security researcher motivations; current prices in the existing white, grey, and black markets for vulnerabilities and exploits; and of course, what finders of Microsoft vulnerabilities typically do with their discoveries.

What we found can be summarized as follows:

1. Motivation: Researchers have many other motivations other than money, including recognition (either public or just among their peers).

2. Prices: The prices for vulnerabilities sold to the white market do not even come close to the amounts offered by the grey and black markets. By “white market,” we mean either vulnerability brokers who give the details to the vendors privately to get the issues fixed, or the bug bounties offered directly by some vendors. By “grey and black markets,” we are referring to those who purchase the vulnerabilities and exploits for offensive use, and specifically don’t give the vendors info to help get the vulnerabilities fixed. No organization who rewards bug bounties for vulnerabilities in their own products, nor white market vulnerability brokers, offer prices intended to “compete” with the grey and black market prices.

3. Disclosure: 90 percent of security researchers who privately report Microsoft vulnerabilities to us choose to report them to Microsoft directly, rather than seeking monetary payment via a white market vulnerability broker.

With that in mind, Microsoft respects researchers’ choices in whether or not they seek individual payment for vulnerabilities they find, and the means certainly exist for them to do so if they wish. If researchers do sell their vulnerability findings, we hope they choose white market vulnerability brokers to provide Microsoft the opportunity to fix the issues before details are made public and risk to customers is amplified.

So if money doesn’t appear to be the driving motivation for the majority of researchers who are willing to report issues privately in Microsoft products, why did we decide to offer a huge cash reward for defensive security research? Because we believe that the existing security research economy has been exclusively focused on offense for too long.

As a company, Microsoft believes that the best way to secure our products is not through reactive measures, but instead to invest in secure development throughout the product lifecycle, and in overall platform defense technology.

Rather than compete with the existing white market vulnerability economy, we decided to start something no one has ever done before, and introduce a new economic factor and incentive where none existed. While Microsoft continues to invest in improving the security of our products via our Security Development Lifecycle, and address individual vulnerability reports via our security response process, we are simultaneously looking to the horizon both in our vision of securing our platform, and the ways we reward the security researcher community.

We hope other vendors who would like to seek the help of the global talent pool of security researchers will also consider this model of investing in and rewarding innovations in defensive security technology. We also hope that current and future generations of security researchers will be inspired to look at the defensive side of the equation when designing new offensive techniques, thanks to the BlueHat Prize. In our experience, some of the best defenders come from the offense side of security.

I’m Katie Moussouris, and THIS is what a “security strategist” does at Microsoft. Now you know. πŸ™‚

You can follow me on Twitter: