Security Experts:

Bug Bounty Hunters Earn $1.2 Million at Chinese Hacking Competition

2020 Tianfu Cup

Bug bounty hunters have earned a total of more than $1.2 million over the weekend at the 2020 Tianfu Cup International PWN Contest, a major hacking competition that takes place every year in China.

Organizers of the event describe it as “China’s Pwn2Own” and this year the prize pool exceeded $1 million.

A total of 15 teams signed up for the 2020 Tianfu Cup and 8 of them earned money for their exploits. The winner was a team representing Chinese cybersecurity firm Qihoo 360, which earned over $740,000.

The Qihoo 360 team earned $100,000 for a Chrome exploit that achieved remote code execution with a sandbox escape, $180,000 for a VMware ESXi guest to host escape, $40,000 for a Firefox exploit, $60,000 for a Qemu exploit, and $18,000 for an Adobe Reader exploit.

The same team also hacked an iPhone 11 Pro with iOS 14 and earned $180,000 for an exploit that achieved remote code execution with a sandbox escape. They also targeted a Samsung Galaxy S20, which earned them $80,000 as they demonstrated an exploit that achieved remote code execution with root privileges.

The Qihoo 360 team also hacked Windows 10 and CentOS 8, which earned them $40,000 for each exploit chain.

Another team also hacked the iPhone 11 Pro and earned $180,000. It’s worth noting that the top prize for hacking the iPhone was $300,000, for a remote jailbreak.

Other participants targeted Safari, Docker, Adobe Reader, the Galaxy S20, Ubuntu, and Asus and TP-Link routers. Overall, organizers said, participants successfully hacked 11 of the 16 targets.

At last year’s event, participants earned over half a million dollars for hacking products from Apple, Google, Microsoft, VMware and others.

The Zero Day Initiative’s Pwn2Own Tokyo competition also took place last week, but participants only earned $136,000 for 23 unique vulnerabilities. White hat hackers remotely demonstrated their exploits against routers, NAS devices and smart TVs.

Related: Hackers Earn $1 Million for Zero-Day Exploits at Chinese Competition

Related: VMware Patches ESXi Vulnerability That Earned Hacker $200,000

Related: VMware Patches Workstation Flaw Disclosed at Hacking Contest

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.