"Blue Hat is just part of a larger picture, which is a really broad effort to make Microsoft accessible," said Adam Shostack, an independent security consultant in Atlanta who participated in the Blue Hat event in October.

"Pretty much any [security] conference you go to, there's a Microsoft presence."

More interaction with the research community has given Microsoft a softer touch, even with so-called grey-hat hackers who don't always toe the corporate line or adhere to the company's vulnerability disclosure policies.

"Microsoft still has a long way to go, but they're making an effort to build good relations with researchers, including myself," said Tom Ferris, an independent security researcher in Mission Viejo, Calif., who runs the Security-Protocols.com Web site and has published details on several unpatched holes in Microsoft's products.

Compared with other organizations, Microsoft representatives go out of their way to show respect to researchers, Ferris said.

"They're not hostile or offensive in e-mails. ... They're always nice. They don't want to [tick] off the researcher," Ferris said.

That's a big change for a company that had a reputation for giving frosty receptions to people who reported bugs.

On the security front, Blue Hat hasn't yielded "aha" security moments as much as it has broadened the thinking of Microsoft's developers, said Stephen Toulouse, security program manager at Microsoft's Security Response Center.

"What we're striving for is an outside perspective—getting developers to understand the misuse of code," Toulouse said.

But there are still more than a few researchers who see the Blue Hat conferences as little more than shrewd PR for a company that is widely believed to produce insecure software.

"Microsoft got their ass handed to them by worms. It was a public embarrassment and bad [public relations]," said eEye's Maiffret, whose company frequently finds and reports critical holes in Microsoft's products and has had a testy relationship with the company for years.

Maiffret gives Microsoft high marks for improving the quality of its code in recent years. But events such as Blue Hat are more public relations than serious security work, he said.

The experts who have been invited to the event are not the same researchers who are discovering the critical holes in the company's products, he said.

Still, experts and Microsoft insiders say that warm, fuzzy relations with the independent security community is just one part of the company's security makeover under Trustworthy Computing, but not the most important.

The whole initiative, especially Blue Hat, is really about increasing the security know-how of its developers, said Mike Howard, senior security program manager at Microsoft and an author of Microsoft's Security Development Lifecycle program, which many experts credit with improving the quality of the company's code.

Microsoft has also used the power of its bulging purse to buy up or bring under contract some serious security talent.

Litchfield's NGSS counts Microsoft as a customer, and Ferris claims the company offered him a position on its kernel development team, which he turned down. A Microsoft spokesperson said the company doesn't comment on hiring issues.

"Microsoft has hired an awful lot of my friends in the last few years," said Shostack, who has never worked for Microsoft. "These are all security people, and they're all over the company."

"They're using their monopoly power. It's not all bad, but there are some who look at it in a cynical light," said Gary McGraw, chief technology officer of Cigital Inc., in Dulles, Va., who declined to comment on whether his company, which helps vendors write secure applications, is under contract to Microsoft but admitted having worked with the company in the past.

Still, more security know-how coupled with better programming and liberal use of automated security scanning tools have eliminated many easy-to-exploit buffer overflow and string copy holes, experts agree.

"The best way to think about it is as an iceberg floating south. It's gradually getting smaller, and the bug hunters are scrambling for space," said Litchfield in Surrey, England.

Next Page: The hacker bull's-eye could be shifting.