Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

Pwn2Own Offers $100,000 for Home Office Hacking Scenario

Trend Micro’s Zero Day Initiative (ZDI) has announced the targets and prizes for its next Pwn2Own hacking competition, as well as the introduction of a new category that aims to simulate a real world home office environment.

Trend Micro’s Zero Day Initiative (ZDI) has announced the targets and prizes for its next Pwn2Own hacking competition, as well as the introduction of a new category that aims to simulate a real world home office environment.

The next Pwn2Own will take place December 6-8, 2022, at ZDI’s office in Toronto, Canada. The registration deadline is December 2. The event will not take place alongside a conference so ZDI has decided to reimburse $3,000 for travel expenses to encourage hackers to participate in person. Bug bounty hunters can also compete remotely, with a ZDI employee in Toronto running the exploit for them.

The organizer is offering a total of more than $1 million in cash and prizes for exploits targeting mobile phones, wireless routers, home automation hubs, smart speakers, printers and NAS devices.

This year, ZDI is introducing a new category called ‘The SOHO Smashup’, which can earn participants up to $100,000. This category aims to simulate a small office/home office (SOHO) scenario, with the goal being to hack a router via its WAN interface and then pivot into the local area network where the researcher needs to hack a different device, such as a printer, smart speaker or NAS device.

In the first stage, they can hack a TP-Link, Netgear, Synology, Cisco, MikroTik or Ubiquity router. In the second stage, they can pick from a list of nearly a dozen IoT devices from Meta, Amazon, Google, Sonos, Apple, HP, Lexmark, Canon, Synology, and WD.

Pwn2Own SOHO Smashup

While this version of Pwn2Own is no longer called Mobile Pwn2Own, mobile phones are still the most attractive target from a financial viewpoint. Participants can earn up to $250,000 if they hack Apple’s iPhone 13 or Google’s Pixel 6. Hacking a Samsung Galaxy S22 can earn participants up to $50,000.

A cash prize of up to $60,000 is offered for smart speaker and home automation hub exploits. The targets include Sonos One, Apple HomePod Mini, Amazon Echo Studio, Meta Portal Go, Amazon Echo Show 15, and Google Nest Hub Max.

Participants can earn up to $40,000 for Synology and WD NAS exploits, and between $5,000 and $30,000 for router vulnerabilities. Printer exploits are worth up to $20,000.

At last year’s event, participants were awarded more than $1 million for smartphone, router, printer, NAS and smart speaker zero-day exploits.

Related: Over $1.1 Million Awarded at Pwn2Own Vancouver 2022 for 25 Zero-Day Vulnerabilities

Related: ICS Exploits Earn Hackers $400,000 at Pwn2Own Miami 2022

Related: Microsoft Teams Exploits Earn Hackers $450,000 at Pwn2Own 2022

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet