Big bugs, big bucks: Pwn2Own awards reach half a million

The Pwn2Own Web browser hacking competition is expanding to cover browser plug-ins, and the prize pool is now up to more than half-a-million dollars in cash and prizes.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Web-browser developers like to talk the talk about being more secure. But it's at the CanSecWest security conference that they have to walk the walk as hackers compete for over half-a-million dollars in cash and prizes during the HP Zero Day Initiative's (ZDI) annual Pwn2Own competition.

It's time again for ZDI's Pwn2Own Web-browser hacking contest. (Credit: HP TippingPoint)

In previous years, Pwn2Own competitors fought to break into Web browsers. For the first time, hackers will also be tackling browser plug-in vulnerabilities as well.

According to Brian Gorenc, the manager of the Zero Day Initiative (ZDI) at HP DVLabs, "Over the last several years, we have seen browser plug-in vulnerabilities become increasingly popular in exploit kits and malware. These vulnerabilities affect a large percentage of the Internet community and are quickly weaponized by attackers. That being said, we are not forgetting about the browser, as we will again be focusing on finding, demonstrating, and responsibly disclosing vulnerabilities in all the popular web browsers."

Here are the targets for this year's competition:

Web browser:

  • Google Chrome on Windows 7 ($100,000)

  • Microsoft Internet Explorer; IE 10 on Windows 8 ($100,000), IE 9 on Windows 7 ($75,000)

  • Mozilla Firefox on Windows 7 ($60,000)

  • Apple Safari on OS X Mountain Lion ($65,000).

Web browser plug-ins using Internet Explorer 9 on Windows 7:

  • Adobe Reader XI ($70,000)

  • Adobe Flash ($70,000)

  • Oracle Java ($20,000).

The full Pwn2Own rules are available now.

To summarize, as before, the targets will be running on the latest, fully patched version of the operating systems. In addition, "All targets will be installed in their default configurations, as this is how a majority of users will have them configured. As always, the vulnerabilities utilized in the attack must be unknown and not previously reported to the vendor. If a sandbox is present, a full sandbox escape is required to win. A given vulnerability may only be used once across all categories."

As for the nitty-gritty of the attacks, "Each contestant must select the category they wish to compromise during the pre-registration process. During the contest, the hacker will have a 30-minute time slot in which to complete their attempt (not including time to set up possible network or device prerequisites). A successful attack against these targets must require little or no user interaction, and must demonstrate code execution."

Hackers will be chosen randomly and then given their shot. This random element has annoyed contestants in the past. As former Pwn2Own winner Charlie Miller said in 2011, "I had a Safari exploit that I didn't get to use because the Vupen guys got their name drawn before me, and I was pretty upset."

It's not enough to successfully attack a system, the "contestant must also provide HP ZDI a fully functioning exploit and all the details of the vulnerability used in the attack. In the case that multiple vulnerabilities were exploited to gain code execution, details about all the vulnerabilities (memory corruption, infoleaks, escalations, etc.) leveraged and the sequence in which they are used must be provided to receive the prize money. The initial vulnerability utilized in the attack must be in the registered category."

Want to give it a try? Pre-register now for the competition by e-mailing zdi@hp.com. Fair warning though, you'll be up against security hacking pros like the French security research outfit Vupen. If you're up for the challenge, give it a go.

Related Stories:

Editorial standards