Google and Facebook may offer bug bounties, but Microsoft broke into the "cash for security code" movement with its inaugural BlueHat Prize, hosted at the Marquee nightclub in Las Vegas. "For our challenge to the security researcher community, we said, can you focus on defensive techniques that can focus on entire classes of attacks, instead of finding one-off vulnerabilities," said Mike Reavey, director of the Microsoft Security Response Center, in an interview at Black Hat. "And we put a quarter of a million dollars on the table, because we knew it's hard to do."
The winning submission, together with $200,000 of the prize money and mountains of free confetti, went to Columbia University graduate student Vasilis Pappas for kBouncer, which Microsoft described as "an efficient and fully transparent ROP [return-oriented programming] mitigation technique."
BlueHat Prize event photograph by Mathew J. Schwartz.