Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Hackers Offered Over $1 Million at Pwn2Own 2017

For the 10th anniversary of the Pwn2Own hacking contest, Trend Micro and the Zero Day Initiative (ZDI) have introduced new exploit categories and they are prepared to offer more than $1 million worth of prizes.

For the 10th anniversary of the Pwn2Own hacking contest, Trend Micro and the Zero Day Initiative (ZDI) have introduced new exploit categories and they are prepared to offer more than $1 million worth of prizes.

Pwn2Own 2017 will take place in mid-March alongside the CanSecWest conference in Vancouver, Canada. Organizers have announced five major categories for the event: virtual machine (VM) escapes, web browsers and plugins, local privilege escalation, enterprise applications, and server side.

VM escapes were first introduced at Pwn2Own 2016 with VMware, but none of the contestants demonstrated a successful exploit. Researchers did manage to hack VMware Workstation and earned $150,000 in November at the PwnFest competition in South Korea.

At this year’s Pwn2Own, experts can earn $100,000 if they manage to execute arbitrary code on the host from a non-admin account in the guest operating system. In addition to VMware Workstation, Microsoft Hyper-V has also been added to the list of targets.

In the web browsers category, Mozilla Firefox has been reintroduced this year and hacking it can earn researchers $30,000. Exploits targeting Microsoft Edge and Google Chrome are worth $80,000, while Apple Safari and Adobe Flash Player exploits are worth $50,000.

Bonuses will be awarded for SYSTEM-level code execution on Windows ($30,000) and Mac OS X ($20,000), and VM escapes ($100,000). The bonuses are cumulative so, for example, if a contestant hacks Chrome, elevates privileges to SYSTEM and escapes the VM, they can earn $210,000 in one go.

Considering that local privilege escalation vulnerabilities can be highly useful for a piece of malware, these types of flaws get their own category this year, with prizes of $30,000 for Windows 10, $20,000 for macOS and $15,000 for Ubuntu Desktop.

The “enterprise applications” category includes Adobe Reader and the Microsoft Office apps Word, Excel and PowerPoint. Hackers can earn $50,000 for vulnerabilities affecting these applications.

Advertisement. Scroll to continue reading.

The most valuable exploits are in the “server side” category. Hackers can earn $200,000 for successful exploits against Apache Web Server running on Ubuntu Server.

Each exploit will also be rewarded with Master of Pwn points. The contestant with the highest number of total points will receive 65,000 ZDI reward points, which are worth roughly $25,000.

Registration for Pwn2Own 2017 closes on March 12 at 5 PM Pacific Time. Additional information and rules are available on ZDI’s website.

Related: Pwn2Own 2016 – Hackers Earn $460,000 for 21 New Flaws

Related: Nexus 6P, iPhone 6S Hacked at Mobile Pwn2Own 2016

Related: Researchers Awarded $552,500 at Pwn2Own 2015

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...