Try something new – Beat the BlueHat Challenge!

August 2014 Update:  The BlueHat Challenge is on hold.  We will make an announcement on this blog when we re-start the BlueHat Challenge.  Thanks for your interest! 


We were inspired by the Matasano Crypto Challenges. So we built a similar series of fun challenges to exercise reverse engineering, vulnerability discovery, and web browser manipulation attack concepts. The Xbox team helped us develop custom Xbox Live avatar items to be awarded to anyone who completes any track of the BlueHat Challenge. Beat all three tracks for access to all three avatar items (“hacker” T-shirt, “MSRC” T-shirt, “hacker” blue hat).

The challenges are all about fun and trying new things. To sign up for any of the three tracks (reverse engineering, vulnerability discovery, design-level web browser manipulation tricks), just email us at In the subject line or in the body of the message, include either [reverse], [vulns], or [web] (or click on any of those three links). Signing up for any of the three tracks will also include instructions on participating in all tracks so you can send just one email to get started.

The Challenge is designed to appeal to a wide range of people, so if the first few sets of problems seem easy, stick with it. They’ll get harder!

More information

  • There’s no restriction on who can participate, no time limit, and no way to fail.
  • There is no monetary reward, and this is not a contest. Your answers should be your own work. We hope that the fun and learning you gain from completing the Challenge is reward enough. We do plan on publicly recognizing people who finish the Challenge.
  • If you find this sort of thing fun, you’d probably like working at Microsoft in the Trustworthy Computing group. We solve problems like this every day and we have lots of open positions. You can see a list of our available positions at, and we encourage you to submit an application!

You may also be interested in the Microsoft Security Bounty Programs, which provide cash rewards for eligible individuals who identify security vulnerabilities.

A quick word from our lawyers…

By participating in the Challenge, you understand that we cannot control the incoming information you will disclose to our representatives in the course of submitting your answers in the Challenge, or what our representatives will remember about your submission. You also understand that we will not restrict work assignments of representatives who have had access to your submission. By participating in the Challenge, you agree that use of information in our representatives’ unaided memories in the development or deployment of our products or services does not create liability for us in connection with the Challenge or under copyright or trade secret law.

If you do not want to grant us these rights to your answers, please do not participate in the Challenge.


What is the BlueHat Challenge?

The BlueHat Challenge is a series of computer security problems of increasing difficulty to help you build and test your skills in three areas: reverse engineering, vulnerability discovery, and web browser manipulation attack concepts.

How does it work?

The problems are given and reviewed over email. As you complete each level, send us your answers and we’ll send you the next set of problems.

Why is Microsoft doing this?

We hope to spur interest in computer security and help people improve their skills through a self-directed learning process. We also want to give something back to the community—we think these problems are going to be a lot of fun for you to solve. We had a lot of fun coming up with them!

How long should I expect to wait for my submitted answers to be evaluated?

The timeline for evaluating the problems will depend on the number of participants in the program, the difficulty of the problem, and the clarity of your answer. Your answers are being evaluated by real people, so please be patient with us!

How long will the program continue?

We plan to continue the program as long as there is sufficient community interest. Of course, we may change the program’s design over time as we learn what works best, and we may cancel the program at any time without notice.  If there is a particular aspect of the program you like, or one track that you think is better developed than others, please let us know so we can do more of that and less of other things.

Is this the new monetary incentive/bounty program I’ve heard about?

No. This program is an educational challenge with no monetary reward. The new programs that offer monetary incentive are the Security Bounty Programs.

Where can I find information on Microsoft jobs?

Check out for careers in Microsoft Trustworthy Computing group. See for more general Microsoft career information.

If I complete the Challenge and do well, am I guaranteed an interview or a job?

No. Your completion of the Challenge or your performance will not guarantee that you will get an interview or a job, nor will it preclude you from doing so. If you are interested in careers with Microsoft Trustworthy Computing, we encourage you to visit, where you can submit an application for any open positions that interest you.


Many people came together to make the BlueHat Challenge possible:

  • Couldn’t have happened without David Seidman’s logistics magic!
  • Thanks Fred Raynal and the Quarkslab team for help with the vulnerability and RE challenges
  • Thanks Manuel Caballero and Mario Heiderich for developing the web design-level challenges
  • Thanks Bill Barlowe, Andrew Ciccarelli, and Shonn Gilson for the back-end infrastructure help
  • Thanks Rollie Watson and John Doyle from Xbox and Rajat and Mike from Lakshya Digital
  • Thanks Dan Beenfeldt, Tim Hermann, and Nanae Toyozato for the “Eli the Zombie” flash game ([reverse] level 2)
  • Thanks Katie Moussouris, Mike Reavey, Leah Lease, Bruce Dang, and David Ross for inspiration

– Jonathan Ness, MSRC Engineering