Pwn2Own, Pwnium pay researchers $210K for browser bugs

Last day of hacking events shake loose bugs in Firefox, Chrome

Researchers last Friday unveiled zero-day vulnerabilities in Google's Chrome and Mozilla's Firefox during the final day of two hacking challenges that awarded $210,000 to contestants.

The Chrome vulnerabilities were submitted by a teenage researcher identified as "PinkiePie," who was only the second to participate in the Google-sponsored "Pwnium" event.

After verifying that PinkiePie's work met Pwnium's requirement for a "full Chrome exploit" -- meaning that the two bugs were in the browser's own code and included a "sandbox escape" exploit -- Google awarded him $60,000.

It was the second such payout during the three-day event. On Wednesday, Google paid $60,000 to Sergey Glazunov, a frequent recipient of bounties paid by Google throughout the year.

In announcing PinkiePie's win, Jason Kersey, a Chrome program manager, called the researchers' exploits "works of art." Kersey also promised that Google would publish technical write-ups of the two Pwnium submissions.

On Saturday, Google patched Chrome to fix PinkiePie's vulnerabilities, the second time in three days that it updated the browser within 24 hours of obtaining bugs.

Also on Friday, HP TippingPoint's Zero Day Initiative (ZDI) closed out its "Pwn2Own" hacking contest, which like Pwnium ran March 7-9 at the CanSecWest security conference in Vancouver, British Columbia.

On the last day of Pwn2Own, a two-man team -- Vincenzo Iozzo and Willem Pinckaers -- exploited a Firefox zero-day to take the contest's $30,000 second-place prize.

Iozzo and Pinckaers, who also cranked out four other exploits of previously-patched vulnerabilities during Pwn2Own's on-site component, are no strangers to the contest. Last year, they made up two-thirds of a team that won $15,000 by hacking a BlackBerry smartphone.

A team from French security company Vupen won Pwn2Own's first-place prize of $60,000 by hacking Chrome and Microsoft's Internet Explorer earlier in the week.

ZDI did not award Pwn2Own's third-place prize of $15,000 because only two teams participated in the contest.

All told, the two events paid out $210,000 in prize money, a record at CanSecWest.

The dueling challenges were not on the original agenda for CanSecWest: A week before the conference opened, Google withdrew its Pwn2Own sponsorship over objections to that contest's practice of not requiring researchers to divulge "sandbox-escape" exploits.

Google then announced its own Pwnium, and pledged to pay up to $1 million for hacks that exploited Chrome zero-day vulnerabilities.

The code execution vulnerabilities used by the Vupen and Iozzo-Pinckaers teams during Pwn2Own will be reported to vendors today, ZDI said on Twitter last Friday.

The only browser not targeted at Pwn2Own was Apple's Safari, which went untouched for the first time in the contest's six-year history.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com.

FREE Computerworld Insider Guide: IT Certification Study Tips
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies