Pwn2Own hacking contest puts record $560K on the line
Google back as co-sponsor after organizer changes rules
Computerworld - HP TippingPoint, the long-time organizer of the annual Pwn2Own hacking contest, has revamped the challenge for the second year running and will offer cash awards exceeding half a million dollars, more than five times the amount paid out last year, the company said yesterday.
The 2013 edition of the contest will offer $560,000 in potential prize money to hackers who demonstrate exploits of previously-unknown vulnerabilities in Chrome, Firefox, Internet Explorer (IE) or Safari, or the Adobe Reader, Adobe Flash or Oracle Java browser plug-ins.
Prizes will be awarded on a sliding schedule, with $100,000 for the first to hack Chrome on Windows 7 or IE10 on Windows 8. From there, payments will fall to $75,000 for IE9 and slide through a number of targets before ending at $20,000 for Java. Prizes will also be given for exploiting Adobe Flash and Adobe Reader ($70,000 each), Safari ($65,000) and Firefox ($60,000).
About the Java award, Kostya Kortchinsky, a researcher who now works for Microsoft, quickly tweeted, "ZDI giving out $20k for free," referring to the Oracle software's recent vulnerabilities.
Pwn2Own will run March 6-8 at the CanSecWest security conference in Vancouver, British Columbia.
According to Brian Gorenc, a researcher with TippingPoint's DVLabs, HP will sponsor this year's Pwn2Own in conjunction with Google. Last year, Google was initially a co-sponsor, but withdrew over disagreements with TippingPoint about that year's rules.
Google then ran its own hacking contest, dubbed Pwnium, at CanSecWest, where it handed out $120,000 to two researchers for exploiting Chrome.
This year's contest is another revamp of the process and rules, the second in two years. The 2012 challenge used a complicated point system that awarded prizes to the researcher or team of researchers who exploited the most targets during a three-day stretch. It also challenged hackers to devise exploits on the spot.
With 2013's Pwn2Own, TippingPoint has essentially dumped last year's model and returned to earlier contest rules: Researchers will draw their order of appearance before the contest begins, each will have 30 minutes to try his or her luck, and the first to exploit a given target wins the prize.
Another change from last year is that researchers must provide TippingPoint with a fully-functional exploit and all the details of the vulnerability used in the attack. That's different from last year, when Google backed out because Pwn2Own did not require hackers to divulge full exploits, or all of the bugs used, so that vendors, including Google, could then fix the flaws.
The rule changes and the large infusion of cash hint that Google returned to Pwn2Own sponsorship only after it convinced TippingPoint to revise the exploit disclosure policy. Yesterday, Google declined to comment on whether it would again run a Pwnium contest at CanSecWest, but did confirm it will host its Chrome-specific challenge at some point in 2013.
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- 5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to... All Cybercrime and Hacking White Papers | Webcasts