August 2014 Update: The BlueHat Challenge is on hold. We will make an announcement on this blog when we re-start the BlueHat Challenge. Thanks for your interest!
We were inspired by the Matasano Crypto Challenges. So we built a similar series of fun challenges to exercise reverse engineering, vulnerability discovery, and web browser manipulation attack concepts. The Xbox team helped us develop custom Xbox Live avatar items to be awarded to anyone who completes any track of the BlueHat Challenge. Beat all three tracks for access to all three avatar items (“hacker” T-shirt, “MSRC” T-shirt, “hacker” blue hat).
The challenges are all about fun and trying new things. To sign up for any of the three tracks (reverse engineering, vulnerability discovery, design-level web browser manipulation tricks), just email us at firstname.lastname@example.org. In the subject line or in the body of the message, include either [reverse], [vulns], or [web] (or click on any of those three links). Signing up for any of the three tracks will also include instructions on participating in all tracks so you can send just one email to get started.
The Challenge is designed to appeal to a wide range of people, so if the first few sets of problems seem easy, stick with it. They’ll get harder!
You may also be interested in the Microsoft Security Bounty Programs, which provide cash rewards for eligible individuals who identify security vulnerabilities.
A quick word from our lawyers…
By participating in the Challenge, you understand that we cannot control the incoming information you will disclose to our representatives in the course of submitting your answers in the Challenge, or what our representatives will remember about your submission. You also understand that we will not restrict work assignments of representatives who have had access to your submission. By participating in the Challenge, you agree that use of information in our representatives’ unaided memories in the development or deployment of our products or services does not create liability for us in connection with the Challenge or under copyright or trade secret law.
If you do not want to grant us these rights to your answers, please do not participate in the Challenge.
What is the BlueHat Challenge?
The BlueHat Challenge is a series of computer security problems of increasing difficulty to help you build and test your skills in three areas: reverse engineering, vulnerability discovery, and web browser manipulation attack concepts.
How does it work?
The problems are given and reviewed over email. As you complete each level, send us your answers and we’ll send you the next set of problems.
Why is Microsoft doing this?
We hope to spur interest in computer security and help people improve their skills through a self-directed learning process. We also want to give something back to the community—we think these problems are going to be a lot of fun for you to solve. We had a lot of fun coming up with them!
How long should I expect to wait for my submitted answers to be evaluated?
The timeline for evaluating the problems will depend on the number of participants in the program, the difficulty of the problem, and the clarity of your answer. Your answers are being evaluated by real people, so please be patient with us!
How long will the program continue?
We plan to continue the program as long as there is sufficient community interest. Of course, we may change the program’s design over time as we learn what works best, and we may cancel the program at any time without notice. If there is a particular aspect of the program you like, or one track that you think is better developed than others, please let us know so we can do more of that and less of other things.
Is this the new monetary incentive/bounty program I’ve heard about?
No. This program is an educational challenge with no monetary reward. The new programs that offer monetary incentive are the Security Bounty Programs.
Where can I find information on Microsoft jobs?
Check out http://www.twccareers.com for careers in Microsoft Trustworthy Computing group. See http://www.microsoft.com/careers for more general Microsoft career information.
If I complete the Challenge and do well, am I guaranteed an interview or a job?
No. Your completion of the Challenge or your performance will not guarantee that you will get an interview or a job, nor will it preclude you from doing so. If you are interested in careers with Microsoft Trustworthy Computing, we encourage you to visit http://www.twccareers.com, where you can submit an application for any open positions that interest you.
Many people came together to make the BlueHat Challenge possible:
- Jonathan Ness, MSRC Engineering