Minutes ago in Las Vegas at the Microsoft Researcher Appreciation Party, we completed the journey we set out on together at the 2011 Black Hat briefings. There, we asked the security research community to focus its talent and expertise on defense, to design and prototype novel runtime mitigation technologies to prevent the successful exploitation of memory safety vulnerabilities. This was a paradigm shift for many – moving from addressing single vulnerabilities to focusing on ways to mitigate entire classes of vulnerabilities. It was also the first incentive prize Microsoft has ever offered to seek out and reward new ideas in computer security defense. The incentive was significant, too, with over a quarter million dollars in cash and prizes at stake.

We were very happy with the security community’s response! Overall, 20 qualified entries were submitted before the April 1 deadline. From those, the BlueHat Prize Board carefully narrowed the entries to our three finalists; it was interesting to note that all three finalists chose to mitigate the Return-Oriented Programing (ROP) attack technique. This is not an easy problem to solve, as you have to differentiate malicious code from “good” code, all while not impacting performance or user experience. The three finalists took up the challenge and delivered novel submissions with functioning prototypes! So today it’s my honor to announce the winners of the first ever BlueHat Prize:

Grand Prize Winner of $200,000
Vasilis Pappas for kBouncer

Grand Prize Winner of $50,000
Ivan Fratric for ROPGuard

Grand Prize Winner of $10,000
Jared DeMott for "/ROP"

For more technical details of how the BlueHat Prize Board weighed each entry to reach the verdict, I will let them speak for themselves. And if you weren't able to join us in person for the award ceremony, we've got a glimpse for you in this video.

Although we consider this inaugural BlueHat Prize to be a great success, our work isn’t done. Microsoft continues to make investments in our own security science and engineering efforts, and we will continue to work with security researchers and industry partners to provide our customers the best protections available.

It was great to be on hand to award these prizes to the winners, but it was also exciting to celebrate this moment with a community we respect and enjoy collaborating with. On that note, I should mention that Katie Moussouris has shared her thoughts on the conclusion of this BlueHat Prize on the MSRC Ecosystem Strategy Team blog.


Matt Thomlinson
General Manager, Trustworthy Computing Security