Security Experts:

Over $1.1 Million Awarded at Pwn2Own Vancouver 2022 for 25 Zero-Day Vulnerabilities

Pwn2Own Vancouver 2022

Participants earned a total of more than $1.15 million at the Pwn2Own Vancouver 2022 hacking contest last week.

According to Trend Micro’s Zero Day Initiative (ZDI), which organizes the event, rewards were paid out for 25 unique zero-day vulnerabilities that were used to target Tesla Model 3, Windows 11, Ubuntu, Microsoft Teams, Safari, Firefox and Oracle VirtualBox.

A majority of the money was earned on the first day, when researchers demonstrated exploits worth a total of $800,000, including three Microsoft Teams exploit chains that received $150,000 each.

Two teams targeted the Tesla Model 3, but only one of them, representing Synacktiv, was partially successful. The Synacktiv team earned $75,000 for an infotainment system hack, but their exploit leveraged a sandbox escape vulnerability that had already been known.

In the second attempt, a researcher failed to demonstrate their Tesla exploit, but ZDI still decided to acquire the details of the exploit and report them to the carmaker.

Researcher Manfred Paul was the only one to target Mozilla’s Firefox browser and the exploit earned him $100,000. Paul demonstrated his exploit on May 18, and on May 20 Mozilla already announced a Firefox update that should patch the vulnerabilities he disclosed at Pwn2Own. The researcher also earned $50,000 for a Safari hack.

Pwn2Own participants demonstrated six Windows 11 privilege escalation exploits, each worth $40,000. Four Ubuntu exploits and one VirtualBox exploit earned hackers the same amount.

This is the second Pwn2Own taking place this year. In April, at Pwn2Own Miami 2022, which focuses on industrial control systems (ICS), contestants earned a total of $400,000 for their exploits.

Related: Printers Hacked for First Time at Pwn2Own

Related: $1.9 Million Paid Out for Exploits at China's Tianfu Cup Hacking Contest

Related: Serious Vulnerability Exploited at Hacking Contest Impacts Over 200 HP Printers

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.