ROP bugs can be used by attackers to sidestep current Windows anti-exploit technologies like ASLR, or address space layout randomization.

All submitters -- not just the winners -- will retain intellectual property rights to their work, but must license their technologies to Microsoft on a royalty-free basis. Entries had to provide a prototype 2MB or smaller that ran on Windows and was developed using the Windows SDK (software developer kit).

The licensing provision makes BlueHat Prize an economical way for Microsoft to acquire new security ideas. Even if half of the entries are duplicates or simply not up to snuff, Microsoft could procure 10 technologies or techniques for under $27,000 each, or less than a quarter what for vulnerabilities and associated exploits in its Chrome browser.

"It's a cheap way to pay someone else to innovate," said Andrew Storms, director of security operations at nCircle Security, in an interview today.

"Google and others pay for vulnerabilities," added Storms. "Microsoft has never done that. Instead they're pay for innovation. So instead of paying someone to break their stuff, they are paying someone to make it better."