Security Experts:

Connect with us

Hi, what are you looking for?



ZDI Announces Rules and Prizes for Pwn2Own 2022

Trend Micro’s Zero Day Initiative (ZDI) on Wednesday announced the targets, prizes and rules for Pwn2Own Vancouver 2022, scheduled to take place May 18-20 alongside the CanSecWest conference.

Trend Micro’s Zero Day Initiative (ZDI) on Wednesday announced the targets, prizes and rules for Pwn2Own Vancouver 2022, scheduled to take place May 18-20 alongside the CanSecWest conference.

This year’s Pwn2Own will be hybrid — participants can attend in person in Vancouver or they can tune in remotely and have their exploits run by ZDI staff. Registration closes on May 12.

Tesla, Zoom, Microsoft and VMware will have representatives at Pwn2Own, with ZDI announcing more than $1 million in cash and prizes for exploits targeting virtualization products, web browsers, enterprise applications, servers, enterprise communications software, and cars.

In the case of Tesla, the prizes are largely the same as in the previous year, when no entries were submitted in the automotive category. However, at Pwn2Own 2022, both a Model 3 and a Model S are available as targets. In addition to a top prize of $600,000 for hacking a Tesla, researchers can earn the car itself.

Rewards offered for Tesla exploits at Pwn2Own

In the virtualization category, the top prize is $300,000, offered for Microsoft Hyper-V exploits. In the web browser category, rewards range between $50,000 and $150,000, which does not include a bonus of up to $75,000 for VM escapes.

In the enterprise app category, researchers can earn up to $50,000 for Adobe Reader exploits and $100,000 for Microsoft Office 365 exploits. Hacking Ubuntu and Windows 11 will be rewarded with up to $40,000.

The Samba interoperability suite has been added to the server category, with rewards of up to $75,000. The highest prize is offered for Windows RDP and Exchange exploits.

Finally, in the enterprise communications category, up to $150,000 is offered for Zoom and Microsoft Teams exploits. At the previous Pwn2Own, two teams did earn $200,000 each for Zoom and Teams exploits.

At last year’s event, which took place in April, participants earned a record-breaking $1.2 million for exploits targeting Safari, Chrome, Edge, Windows 10, Ubuntu, Teams, Zoom, Parallels, and Microsoft Exchange.

In the fall, at Pwn2Own Austin 2021, participants earned a total of more than $1 million for their router, printer, NAS, smartphone, and smart speaker zero-day exploits.

The only event comparable to Pwn2Own in terms of prizes is China’s Tianfu Cup, where participants last year took home a total of $1.9 million.

Related: Printers Hacked for First Time at Pwn2Own

Related: $200,000 Awarded for Zero-Click Zoom Exploit at Pwn2Own

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.