Pwn2Own, Pwnium pay researchers $210K for browser bugs
Last day of hacking events shake loose bugs in Firefox, Chrome
Computerworld - Researchers last Friday unveiled zero-day vulnerabilities in Google's Chrome and Mozilla's Firefox during the final day of two hacking challenges that awarded $210,000 to contestants.
The Chrome vulnerabilities were submitted by a teenage researcher identified as "PinkiePie," who was only the second to participate in the Google-sponsored "Pwnium" event.
After verifying that PinkiePie's work met Pwnium's requirement for a "full Chrome exploit" -- meaning that the two bugs were in the browser's own code and included a "sandbox escape" exploit -- Google awarded him $60,000.
It was the second such payout during the three-day event. On Wednesday, Google paid $60,000 to Sergey Glazunov, a frequent recipient of bounties paid by Google throughout the year.
In announcing PinkiePie's win, Jason Kersey, a Chrome program manager, called the researchers' exploits "works of art." Kersey also promised that Google would publish technical write-ups of the two Pwnium submissions.
On Saturday, Google patched Chrome to fix PinkiePie's vulnerabilities, the second time in three days that it updated the browser within 24 hours of obtaining bugs.
Also on Friday, HP TippingPoint's Zero Day Initiative (ZDI) closed out its "Pwn2Own" hacking contest, which like Pwnium ran March 7-9 at the CanSecWest security conference in Vancouver, British Columbia.
On the last day of Pwn2Own, a two-man team -- Vincenzo Iozzo and Willem Pinckaers -- exploited a Firefox zero-day to take the contest's $30,000 second-place prize.
Iozzo and Pinckaers, who also cranked out four other exploits of previously-patched vulnerabilities during Pwn2Own's on-site component, are no strangers to the contest. Last year, they made up two-thirds of a team that won $15,000 by hacking a BlackBerry smartphone.
A team from French security company Vupen won Pwn2Own's first-place prize of $60,000 by hacking Chrome and Microsoft's Internet Explorer earlier in the week.
ZDI did not award Pwn2Own's third-place prize of $15,000 because only two teams participated in the contest.
All told, the two events paid out $210,000 in prize money, a record at CanSecWest.
The dueling challenges were not on the original agenda for CanSecWest: A week before the conference opened, Google withdrew its Pwn2Own sponsorship over objections to that contest's practice of not requiring researchers to divulge "sandbox-escape" exploits.
Google then announced its own Pwnium, and pledged to pay up to $1 million for hacks that exploited Chrome zero-day vulnerabilities.
The code execution vulnerabilities used by the Vupen and Iozzo-Pinckaers teams during Pwn2Own will be reported to vendors today, ZDI said on Twitter last Friday.
The only browser not targeted at Pwn2Own was Apple's Safari, which went untouched for the first time in the contest's six-year history.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Data Protection eGuide In this eGuide, CSO and sister publications IDG News Service, Computerworld, and CIO pull together news, trend, and how-to articles about the increasingly...
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!