Microsoft Readying Live Hacker Judging At Black Hat


Microsoft is set to judge live attempts to bypass the security defenses in its latest operating system -- Windows 8.1 Preview -- giving hackers an attempt to earn $100,000 as part of the company's new bug bounty reward program.

Hackers will use their working exploits on a Lenovo ThinkPad X1 Carbon Touch, a business Ultrabook, at the Black Hat conference in Las Vegas. The software giant's security engineers will judge the attempts to crack into the laptop at its booth at about 12:30 Pacific Time on July 31 and Aug. 1.

In addition to up to $100,000 for demonstrating mitigation bypass, Microsoft will award each successful hacker with the ThinkPad X1.

[Related: Black Hat 2013: 5 Cool Hacking Tools To Check Out]

"If you're successful at the live demo portion of the event, you and the judges will be whisked away to de-brief in the private Judging Suite upstairs, where they'll examine your work more closely and ask any relevant questions while you enjoy a well-earned break from the chaos," said Katie Moussouris, a senior security strategist at Microsoft, in the company's Blue Hat Prize blog.

To be eligible, hackers must submit an exploit that bypasses the mitigation with the source code and must exploit a real remote code execution vulnerability. A white paper also must be submitted explaining the exploitation method.

"A novel exploitation method must be an integral and required component of enabling reliable remote code execution," Microsoft explained as part of its bypass bounty program rules.

Submissions must be capable of exploiting a user mode application through bypassing either stack corruption defenses, heap corruption mitigations or code execution prevention technologies. The technique cannot be described in prior works, Microsoft said.

The first Microsoft bounty rewards were issued to researchers earlier this month, with Ivan Fratric, a Google engineer who qualified for finding a flaw in Internet Explorer 11, receiving the first award.

Microsoft, Redmond, Wash., said in June that it would reverse course on a longstanding stance against bug bounty programs and unveiled three vulnerability reward programs. In addition to a mitigation bypass bounty program, the company has a Blue Hat Bonus for Defense program, which rewards researchers an additional $50,000 bonus for defensive ideas that accompany a qualifying mitigation bypass bounty submission. The IE11 preview bug bounty program closed July 26. It was open for the first 30 days following the release of the latest preview version of its Internet Explorer browser. It rewards researchers up to $11,000 for critical vulnerabilities.

Moussouris said Microsoft will adjust its vulnerability rewards programs based on the threat landscape and the new applications and components it releases.

PUBLISHED JULY 29, 2013