Pwn2Own hack contest puts record $645K on prize table

New grand prize of $150,000 requires researchers to deal with Microsoft's EMET anti-exploit toolkit

1 2 Page 2
Page 2 of 2

Pwn2Own has been dominated in recent years by teams to the detriment of individuals who cannot compete with groups of well-armed collectives, such as the team from Vupen, which walked off with $250,000 in prize money last year for hacking IE10, Firefox, Flash and Java.

"I'm trying to remember, who has won pwn2own by themselves besides me, @dinodaizovi, and @nils?" asked Charlie Miller, a Twitter researcher who has won four times at Pwn2Own, most recently in 2011. "The team aspect takes the fun out if it [in my opinion]."

Another individual winner, Peter Vreugdenhil, who took home $10,000 in 2010, now works for Exodus Intelligence, a firm that includes Aaron Portnoy, who once ran Pwn2Own. Several others individually won prizes last year by hacking Adobe Reader and Oracle's Java.

Gorenc disagreed with Miller, and dismissed the idea that teams, especially large ones like Vupen's, skewed the contest. "Every year, we sit down and think about how to make Pwn2Own more interesting," said Gorenc. "Last year, we thought about [individuals versus teams] but just went forward with one contest. If people want to team up and split the prize money, that's up to them."

The total payout in 2013 was a record $480,000.

Bekrar also criticized the Exploit Unicorn challenge, arguing that the $150,000 prize is inadequate when three different zero-day vulnerabilities are needed to win. "Unicorn prize is useless as it requires to burn 3 0days: IE + sandbox bypass + kernel exploit, while two would be enough," he said on Twitter.

According to Gorenc, there is no three-vulnerability minimum for the grand prize. "If they can make it happen in just two, and followed the rules, we'd be glad to give them the prize," Gorenc said.

TippingPoint and its ZDI bounty program have sponsored or co-sponsored Pwn2Own since its 2007 inception. After researchers hand over the vulnerabilities they used to hack targets -- and their exploit code -- ZDI confirms the results, then passes the information to the pertinent vendors, which often have representatives on-site, ready to jump on patching.

"For us, the contest does multiple things," said Gorenc. "We get to understand and fix exploit techniques and vulnerabilities that are out there, and we get to deploy protections to our customers. It's a good value for us."

HP has published the 2104 Pwn2Own rules on its website, and will provide updates during the contest via a Twitter account and blog.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at  @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Copyright © 2014 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon