Find a Windows 8.1 Exploit, Earn $100,000

Dennis Faas's picture

Microsoft says it's willing to pay security researchers $100,000 for helping them discover and prevent attacks on the firm's upcoming Windows 8.1 (otherwise known as 'Windows Blue').

The reward is part of a new campaign designed to beef up the security defenses of Microsoft products.

One part of this new campaign is being called "BlueHat Bonus for Defense," which is based on a 2011 contest where Microsoft rewarded security researchers with a "BlueHat Prize".

The new BlueHat Bonus for Defense project will offer up to $50,000 for new security ideas related to Microsoft products. (Source:

Big Bounty for Finding Windows Blue Exploits

A second part of the campaign is known as the "Mitigation Bypass Bounty," and doubles the potential reward to $100,000. To win that much cash, security experts will need to devise a complex technique for getting around Windows 8.1's advanced security defenses.

Specifically, researchers will need to clearly demonstrate that their methods are capable of circumventing Windows 8.1's security systems, including DEP (Data Execution Prevention), ASLR (Address Space Layout Randomization), and SEHOP (Structured Exception Handling Overwrite Protection).

According to Microsoft's statement on the subject, eligible submissions must include "an exploit that demonstrates a novel method of exploiting a real Remote Code Execution (RCE) vulnerability and a white paper explaining the exploitation method." (Source:

Academics Expected to Provide Bulk of Submissions

It's expected that most submissions for the aforementioned prizes will come from academics, such as Hovav Schacham, who in 2007 unveiled an exploit technique that would have garnered the University of California computer science professor the $100,000 prize.

Schacham's revelation was called Return Oriented Programming. It's a technique that could be used by a hacker to execute code and hijack a targeted Windows system.

As for the new program's popularity, security expert Andrew Storms says "we don't know how many [submissions] they'll get."

According to Veracode chief technology officer Chris Wysopal, the program is long overdue. "The first thing that comes to mind is that it's about time," Wysopal said. (Source:

Rate this article: 
No votes yet