Big bugs, big bucks: Pwn2Own awards reach half a million

Big bugs, big bucks: Pwn2Own awards reach half a million

Summary: The Pwn2Own Web browser hacking competition is expanding to cover browser plug-ins, and the prize pool is now up to more than half-a-million dollars in cash and prizes.


Web-browser developers like to talk the talk about being more secure. But it's at the CanSecWest security conference that they have to walk the walk as hackers compete for over half-a-million dollars in cash and prizes during the HP Zero Day Initiative's (ZDI) annual Pwn2Own competition.

It's time again for ZDI's Pwn2Own Web-browser hacking contest. (Credit: HP TippingPoint)

In previous years, Pwn2Own competitors fought to break into Web browsers. For the first time, hackers will also be tackling browser plug-in vulnerabilities as well.

According to Brian Gorenc, the manager of the Zero Day Initiative (ZDI) at HP DVLabs, "Over the last several years, we have seen browser plug-in vulnerabilities become increasingly popular in exploit kits and malware. These vulnerabilities affect a large percentage of the Internet community and are quickly weaponized by attackers. That being said, we are not forgetting about the browser, as we will again be focusing on finding, demonstrating, and responsibly disclosing vulnerabilities in all the popular web browsers."

Here are the targets for this year's competition:

Web browser:

  • Google Chrome on Windows 7 ($100,000)

  • Microsoft Internet Explorer; IE 10 on Windows 8 ($100,000), IE 9 on Windows 7 ($75,000)

  • Mozilla Firefox on Windows 7 ($60,000)

  • Apple Safari on OS X Mountain Lion ($65,000).

Web browser plug-ins using Internet Explorer 9 on Windows 7:

  • Adobe Reader XI ($70,000)

  • Adobe Flash ($70,000)

  • Oracle Java ($20,000).

The full Pwn2Own rules are available now.

To summarize, as before, the targets will be running on the latest, fully patched version of the operating systems. In addition, "All targets will be installed in their default configurations, as this is how a majority of users will have them configured. As always, the vulnerabilities utilized in the attack must be unknown and not previously reported to the vendor. If a sandbox is present, a full sandbox escape is required to win. A given vulnerability may only be used once across all categories."

As for the nitty-gritty of the attacks, "Each contestant must select the category they wish to compromise during the pre-registration process. During the contest, the hacker will have a 30-minute time slot in which to complete their attempt (not including time to set up possible network or device prerequisites). A successful attack against these targets must require little or no user interaction, and must demonstrate code execution."

Hackers will be chosen randomly and then given their shot. This random element has annoyed contestants in the past. As former Pwn2Own winner Charlie Miller said in 2011, "I had a Safari exploit that I didn't get to use because the Vupen guys got their name drawn before me, and I was pretty upset."

It's not enough to successfully attack a system, the "contestant must also provide HP ZDI a fully functioning exploit and all the details of the vulnerability used in the attack. In the case that multiple vulnerabilities were exploited to gain code execution, details about all the vulnerabilities (memory corruption, infoleaks, escalations, etc.) leveraged and the sequence in which they are used must be provided to receive the prize money. The initial vulnerability utilized in the attack must be in the registered category."

Want to give it a try? Pre-register now for the competition by e-mailing Fair warning though, you'll be up against security hacking pros like the French security research outfit Vupen. If you're up for the challenge, give it a go.

Related Stories:

Topics: Security, Browser, Hewlett-Packard, Networking, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • PWN2OWN, which one is that?

    Oh right, that is the security competition where the apple product has always fallen the fastest.

    It will be interesting to see how well Android holds up when it comes time to testing mobile devices. Will the Linux kernel keep Android safe? Are AV companies lying when they suggest Android isn't secure?

    I don't know.

    Will Linux fanboys go nuts trying to explain how Android isn't Linux if Android loses?


    Will Linux fanboys rejoice that Android is Linux if Android wins?


    Those are my predictions.
    • Android uses a Linux Kernel

      You write up an article on how Android, Fedora and Ubuntu use the Linux Kernel and what measures each provide security (Selinux/AppArmor) for those platforms.

      Send to Larry, as the Bottom report.
    • RE: "Those are my predictions

      Too bad that your predictions wasted at Pwn2Own 2013 as mobile operating systems are not included.

      o Windows 8 should be used instead of Windows 7 (as Windows 8 is the current version and includes security enhancements)
      o GNU/Linux is not included (this would be good publicity for Red Hat's Enterprise Linux Desktop with Mozilla Firefox and Red Hat, a $1 billion U.S. company, can afford the prizes)
      o Even OS X is a bit player compared to Windows (why not add Mozilla Firefox and Google Chrome to OS X along with the plug-ins?)

      P.S. Would love to see world-class hackers give the GNU/Linux desktop a go at Pwn2Own.
      Rabid Howler Monkey
      • no point with win 8

        since MSE pretty much guarantees nothing gets past without user intervention.
      • I'm surprised they are testing OSX at all

        Seeing as HP doesn't make any Macs.
  • Are the award amounts indication of difficulty?

    If so, then Java exploits must be pretty common, not worth near as much as a Chrome
  • Paying people to hack??!

    As if the recent Java debacle didn't cause enough sturm und drang among us commercial shippers who have been thrust into the cloud, now we are awarding prizes for hacking? Is this part of the upside-down world in which victims get victimized and perps get rewarded? I've never heard of a more assinine thing in my life.

    How about rewarding someone who can make Java or any of the mentioned browsers HACK-PROOF? It's a much more direct route than finding the vulnerabilities and then beginning to address them!
    • That's exactly the case here

      By finding vulnerabilities and giving them to ZDI instead of selling them on black markets, hackers help making the products hack-proof.
    • to hack proof

      something, you call in the best hackers with cash as bait.
      how can you not see that?
    • NOTHING is hack proof...

      ...unless a computer gets no power.
    • Go learn what the contest is about before posting

      The point is to find and patch vulnerabilities. The people competeing are generally all sec urity consultants etc. Not black hat scam artists.