CanSecWest Pwn2Own hacker challenge gets a $105,000 makeover

HP Zero Day Initiatives revamps the annual hacker contest to put more zero-day vulnerabilities and exploits in play.
Written by Ryan Naraine, Contributor

The annual Pwn2Own hacker challenge is getting a major makeover.

According to organizers at HP Zero Day Initiative, the contest will be redesigned to allow multiple hackers to go after the same computer targets over a three-day span.

The contest, which forms part of the CanSecWest security conference in Vancouver, will no longer have mobile devices as targets.  Instead, hackers will take aim at fully patched Windows 7 and Mac OS X Lion machines to accumulate points based on zero-day vulnerabilities and exploits used.

[ SEE: Pwn2Own trifecta: Hacker exploits IE8, Firefox, Safari ]

Threatpost.com's Dennis Fisher has more on the changes:


The new format will include the assignment of point values for each of the various targets in the contest, which typically are browsers such as Internet Explorer, Firefox and Chrome running on Mac OS X or Windows machines. In order to win the contest, a participant must have at least one zero-day vulnerability in one of the targets. Each successful compromise of a target with a zero-day will be worth 32 points, and unlike in past years, targets will not be removed from the competition once they've been successfully compromised by one researcher.

Also, on the first day of the contest, the organizers from HP's TippingPoint Zero Day Initiative will announce two previously patched vulnerabilities that contestants can use on each target. They will then have three days to write an exploit that works on a given target, although the point awarded for a win will decrease each day. A win on the first day earns 10 points, nine points on the second day and eight on the third. For those "public vulnerabilities", there won't be any requirement for a sandbox escape or bypass of protected mode in the browsers.

[ ALSO SEE: Pwn2Own 2009: Safari/MacBook falls in seconds ]

Google, as Pwn2Own sponsor, will throw in cash prizes for vulnerabilities exposed in its Chrome web browser.  The search engine giant is offering $10,000 bounties for any zero-day vulnerability/exploit combination that launches harmful code that escapes the browser's sandbox.

For HP Zero Day Initiative, the revamped contest will put more zero-day vulnerabilities in play.  In the past, hackers pulled names from a hat to determine who would be allowed to attempt a code execution attack against a target.

This year, with the changes, it means that multiple hacking teams will get a chance to take aim at Microsoft's Windows OS or Apple's Mac OS X, an intriguing move that should showcase the robustness -- or weakness -- of the two platforms.

[ SEE: Ten little things to secure your online presence ]

It's not quite clear what would happen with the vulnerabilities and exploits used by teams that don't finish in the top three.  If the new rules attract lots of researchers, we could find a situation where teams are giving away zero-day vulnerabilities and not winning anything.  It's unlikely any researcher who knows the value of vulnerabilities would participate under those conditions.

This hiccup was also noticed by Chaouki Bekrar, one of last year's Pwn2Own winner.

Editorial standards