Connect with us

Hi, what are you looking for?


IoT Security

Bug Bounty Hunters Earn $1.2 Million at Chinese Hacking Competition

2020 Tianfu Cup

Bug bounty hunters have earned a total of more than $1.2 million over the weekend at the 2020 Tianfu Cup International PWN Contest, a major hacking competition that takes place every year in China.

2020 Tianfu Cup

Bug bounty hunters have earned a total of more than $1.2 million over the weekend at the 2020 Tianfu Cup International PWN Contest, a major hacking competition that takes place every year in China.

Organizers of the event describe it as “China’s Pwn2Own” and this year the prize pool exceeded $1 million.

A total of 15 teams signed up for the 2020 Tianfu Cup and 8 of them earned money for their exploits. The winner was a team representing Chinese cybersecurity firm Qihoo 360, which earned over $740,000.

The Qihoo 360 team earned $100,000 for a Chrome exploit that achieved remote code execution with a sandbox escape, $180,000 for a VMware ESXi guest to host escape, $40,000 for a Firefox exploit, $60,000 for a Qemu exploit, and $18,000 for an Adobe Reader exploit.

The same team also hacked an iPhone 11 Pro with iOS 14 and earned $180,000 for an exploit that achieved remote code execution with a sandbox escape. They also targeted a Samsung Galaxy S20, which earned them $80,000 as they demonstrated an exploit that achieved remote code execution with root privileges.

The Qihoo 360 team also hacked Windows 10 and CentOS 8, which earned them $40,000 for each exploit chain.

Another team also hacked the iPhone 11 Pro and earned $180,000. It’s worth noting that the top prize for hacking the iPhone was $300,000, for a remote jailbreak.

Other participants targeted Safari, Docker, Adobe Reader, the Galaxy S20, Ubuntu, and Asus and TP-Link routers. Overall, organizers said, participants successfully hacked 11 of the 16 targets.

Advertisement. Scroll to continue reading.

At last year’s event, participants earned over half a million dollars for hacking products from Apple, Google, Microsoft, VMware and others.

The Zero Day Initiative’s Pwn2Own Tokyo competition also took place last week, but participants only earned $136,000 for 23 unique vulnerabilities. White hat hackers remotely demonstrated their exploits against routers, NAS devices and smart TVs.

Related: Hackers Earn $1 Million for Zero-Day Exploits at Chinese Competition

Related: VMware Patches ESXi Vulnerability That Earned Hacker $200,000

Related: VMware Patches Workstation Flaw Disclosed at Hacking Contest

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.