Pwn2Own contest becomes victim of cyberweapon restrictions

The hacking competition has lost HP as a sponsor due to new US cybersecurity regulations.

The Pwn2Own hacking contest has lost a primary sponsor in Hewlett-Packard due to recent changes to the Wassenaar Arrangement.

As reported by Ars Technica, legal concerns have scuppered the PC maker's usual sponsorship, despite HP having spent over $1 million researching the recent changes to the international treaty.

The Pwn2Own conference, backed by HP Tipping Point's Zero Day Initiative (ZDI), planned to offer prizes ranging from $25,000 to $75,000 this year for the submission of valid software vulnerabilities, as well as an additional $10,000 for exploits relating to the Google Chrome browser. Before the withdrawal of HP, both the PC maker and Google's Project Zero sponsored the cash rewards.

However, changes made to the Wassenaar Arrangement this year, originally an arms export agreement, have been labeled by Google as "dangerously vague," which relates to issues HP has faced.

Outlined in May, the new export restrictions tighten and restrict the sale of "intrusion software and software vulnerabilities," such as zero-day exploits. However, the vague wording used in the agreement suggests companies -- and researchers -- need to request export licenses when reporting security flaws.

As noted by The Register, the amendment made this year forbids the export of software "specifically designed" to avoid detection on PC networks and devices, as well as software which can perform "the extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions."

In total, 41 countries participate in the Wassenaar Arrangement.

With such restrictions, researchers may be deterred from discussing or revealing software vulnerabilities, which may make the overall security of vendor products less effective, or turn skilled professionals towards black hat operations to turn a profit -- especially if bug bounties are adversely affected.

An HP spokesman said:

"Due to the complexity of obtaining real-time import/export licenses in countries that participate in the Wassenaar Arrangement, the ZDI has notified conference organizer Dragos Ruiu that it will not be holding the Pwn2Own contest at PacSecWest in November."

Dragos Ruiu, organizer of Pwn2Own, suggested HP's efforts were in vain as compliancy and legal issues were not clear cut in becoming involved with the hacking competition if held in Japan. However, he is not losing hope -- and plans to work around the agreement and potentially launch a scaled-down version of the popular contest.

Ruiu tweeted:

screen-shot-2015-09-04-at-10-08-19.png

See also: Google: Wassenaar vulnerability rules 'dangerously vague' when clarity is crucial

The difficulties surrounding the updated legislation has prompted anger in the security realm. By making these competitions complicated to run, white hat hackers are likely to suffer. White hat researchers, who submit their findings and research for the benefit of the community and companies, may find their hands tied by the agreement -- while black hat hackers will continue to thrive and remain unaffected.

The announcement of HP's withdrawal of the sponsorship has also prompted speculation that the Wassenaar Agreement may not be the only reason the PC maker is dragging its feet. It may be that HP's reported wish to sell Tipping Point may also be a factor as part of the firm's split in November. ZDI is estimated to be worth between $200 and $300 million.