Pwn2Own hacking contest puts record $560K on the line
Google back as co-sponsor after organizer changes rules
Computerworld - HP TippingPoint, the long-time organizer of the annual Pwn2Own hacking contest, has revamped the challenge for the second year running and will offer cash awards exceeding half a million dollars, more than five times the amount paid out last year, the company said yesterday.
The 2013 edition of the contest will offer $560,000 in potential prize money to hackers who demonstrate exploits of previously-unknown vulnerabilities in Chrome, Firefox, Internet Explorer (IE) or Safari, or the Adobe Reader, Adobe Flash or Oracle Java browser plug-ins.
Prizes will be awarded on a sliding schedule, with $100,000 for the first to hack Chrome on Windows 7 or IE10 on Windows 8. From there, payments will fall to $75,000 for IE9 and slide through a number of targets before ending at $20,000 for Java. Prizes will also be given for exploiting Adobe Flash and Adobe Reader ($70,000 each), Safari ($65,000) and Firefox ($60,000).
About the Java award, Kostya Kortchinsky, a researcher who now works for Microsoft, quickly tweeted, "ZDI giving out $20k for free," referring to the Oracle software's recent vulnerabilities.
Pwn2Own will run March 6-8 at the CanSecWest security conference in Vancouver, British Columbia.
According to Brian Gorenc, a researcher with TippingPoint's DVLabs, HP will sponsor this year's Pwn2Own in conjunction with Google. Last year, Google was initially a co-sponsor, but withdrew over disagreements with TippingPoint about that year's rules.
Google then ran its own hacking contest, dubbed Pwnium, at CanSecWest, where it handed out $120,000 to two researchers for exploiting Chrome.
This year's contest is another revamp of the process and rules, the second in two years. The 2012 challenge used a complicated point system that awarded prizes to the researcher or team of researchers who exploited the most targets during a three-day stretch. It also challenged hackers to devise exploits on the spot.
With 2013's Pwn2Own, TippingPoint has essentially dumped last year's model and returned to earlier contest rules: Researchers will draw their order of appearance before the contest begins, each will have 30 minutes to try his or her luck, and the first to exploit a given target wins the prize.
Another change from last year is that researchers must provide TippingPoint with a fully-functional exploit and all the details of the vulnerability used in the attack. That's different from last year, when Google backed out because Pwn2Own did not require hackers to divulge full exploits, or all of the bugs used, so that vendors, including Google, could then fix the flaws.
The rule changes and the large infusion of cash hint that Google returned to Pwn2Own sponsorship only after it convinced TippingPoint to revise the exploit disclosure policy. Yesterday, Google declined to comment on whether it would again run a Pwnium contest at CanSecWest, but did confirm it will host its Chrome-specific challenge at some point in 2013.
- Why Projects Fail CIOs are expected to deliver more projects that transform business, and do so on time, on budget and with limited resources.
- The New Business Case for Video Conferencing: 7 Real-World Benefits Beyond Cost-Savings This whitepaper provides insight into the value of video conferencing in today's business environment, and how organizations are using visual collaboration to find...
- Gartner Magic Quadrant for Client Management Tools The client management tool market is maturing and evolving to adapt to consumerization, desktop virtualization, and an ongoing need to improve efficiency.
- Audit Ready and Asset Optimized: The Solid Promise of an Intelligent Software Asset Management Solution In this paper Frost & Sullivan examines the benefits of enterprise-grade Software Asset Management solutions, and how these solutions serve as the convergence...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Cybercrime and Hacking White Papers | Webcasts