Security Experts:

Hackers Invited to Target VMware at Pwn2Own 2016

Hewlett Packard Enterprise, Trend Micro and the Zero Day Initiative have invited white hat hackers to show off their skills at this year’s Pwn2Own competition.

HP and ZDI decided not to sponsor Mobile Pwn2Own last year at the PacSec conference in Japan over legal concerns related to the controversial Wassenaar Arrangement, but they haven’t completely given up on the popular hacking contest. This year’s list of sponsors is joined by Trend Micro, which announced in October the acquisition of TippingPoint, including the Zero Day Initiative, from HP for $300 million.

As usual, Pwn2Own 2016 will take place alongside the CanSecWest conference in Vancouver, Canada. The competition, scheduled for March 16-17, invites researchers to hack Google Chrome, Microsoft Edge, Adobe Flash, Apple Safari and, for the first time, VMware Workstation.

According to organizers, Windows-based targets will be running on a VMware Workstation virtual machine and researchers who achieve a VM escape will be awarded a bonus of $75,000. A $20,000 bonus will also be awarded for exploits that achieve root- or SYSTEM-level code execution.

Experts who manage to hack Chrome and Edge on Windows will receive $65,000, while those who break Flash running in Edge will get $60,000. The prize for hacking Safari on a machine running Mac OS X is $40,000.

Similar to previous years, the targeted machines will run fully patched versions of the operating system and software. Participants’ exploits will also have to work with the protections in Microsoft’s EMET software enabled.

Pwn2Own 2016 participants will be awarded points for each of their successful entries and the hacker with the highest number of points will be named “Master of Pwn” and will receive an additional 65,000 ZDI reward points, worth roughly $25,000, and a laptop estimated at $1,000.

The vulnerabilities leveraged by contestants must be unknown and each flaw can only be used to target one category. The exploits must work with minimal user interaction and all the vulnerabilities and techniques used by winners must be disclosed to the affected software’s vendor. The complete rules are available on ZDI’s website.

Hackers who took part in the 2015 edition of Pwn2Own earned a total of $552,000, plus non-monetary prizes such as ZDI points and laptops.

view counter