Connect with us

Hi, what are you looking for?



Hackers Invited to Target VMware at Pwn2Own 2016

Hewlett Packard Enterprise, Trend Micro and the Zero Day Initiative have invited white hat hackers to show off their skills at this year’s Pwn2Own competition.

Hewlett Packard Enterprise, Trend Micro and the Zero Day Initiative have invited white hat hackers to show off their skills at this year’s Pwn2Own competition.

HP and ZDI decided not to sponsor Mobile Pwn2Own last year at the PacSec conference in Japan over legal concerns related to the controversial Wassenaar Arrangement, but they haven’t completely given up on the popular hacking contest. This year’s list of sponsors is joined by Trend Micro, which announced in October the acquisition of TippingPoint, including the Zero Day Initiative, from HP for $300 million.

As usual, Pwn2Own 2016 will take place alongside the CanSecWest conference in Vancouver, Canada. The competition, scheduled for March 16-17, invites researchers to hack Google Chrome, Microsoft Edge, Adobe Flash, Apple Safari and, for the first time, VMware Workstation.

According to organizers, Windows-based targets will be running on a VMware Workstation virtual machine and researchers who achieve a VM escape will be awarded a bonus of $75,000. A $20,000 bonus will also be awarded for exploits that achieve root- or SYSTEM-level code execution.

Experts who manage to hack Chrome and Edge on Windows will receive $65,000, while those who break Flash running in Edge will get $60,000. The prize for hacking Safari on a machine running Mac OS X is $40,000.

Similar to previous years, the targeted machines will run fully patched versions of the operating system and software. Participants’ exploits will also have to work with the protections in Microsoft’s EMET software enabled.

Pwn2Own 2016 participants will be awarded points for each of their successful entries and the hacker with the highest number of points will be named “Master of Pwn” and will receive an additional 65,000 ZDI reward points, worth roughly $25,000, and a laptop estimated at $1,000.

The vulnerabilities leveraged by contestants must be unknown and each flaw can only be used to target one category. The exploits must work with minimal user interaction and all the vulnerabilities and techniques used by winners must be disclosed to the affected software’s vendor. The complete rules are available on ZDI’s website.

Advertisement. Scroll to continue reading.

Hackers who took part in the 2015 edition of Pwn2Own earned a total of $552,000, plus non-monetary prizes such as ZDI points and laptops.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.