Pwn2Own hacking contest shrinks exploit prize pool

12.02.2015
Hewlett-Packard's Zero Day Initiative (ZDI) today outlined the rules for its annual hacking contest, Pwn2Own, which will run March 18-19 with $465,000 in prize money on the table.

The prize pool for this year's edition is 28% smaller than the record $645,000 of 2014.

ZDI is HP's bug-bounty program, run by its TippingPoint group, a maker of corporate intrusion prevention system (IPS) and firewall appliances.

The 2015 edition of Pwn2Own will offer cash awards to researchers who demonstrate exploits of previously-unknown vulnerabilities in Google's Chrome, Mozilla's Firefox, Microsoft's Internet Explorer 11 (IE11) or Apple's Safari browsers, or the Adobe Reader or Adobe Flash Player browser plug-ins.

Those targets are the same as the last two years, with the exception of Oracle's Java, which was dropped for 2015's contest.

Prizes will be awarded on a schedule that implicitly ranks the security prowess of each target. The first to hack Chrome, for example, will win $75,000, while the first to knock down IE11 will receive $65,000. Researchers who successfully exploit Reader or Flash Player will get $60,000, with the remaining Safari and Firefox paying $50,000 and $30,000, respectively.

In ZDI's mind, then, Firefox is at least twice as easy to hack as Chrome.

Also on the prize board is a series of $25,000 bonus payments for achieving system-level code execution. Each of the five Windows-based targets -- all but Safari, which must be exploited on Apple's OS X -- is eligible for the bonus.

Google, which again has partnered with HP to put up the prize money, will also pay $10,000 for any entry -- not just the first -- that exploits the latest release of Chrome 42. That browser won't be in the most-polished "Stable" build channel by Pwn2Own -- currently, Chrome Stable is at v.40 -- but Google is putting it on the target range nonetheless.

The total up for grabs is significantly less than in 2014, when Pwn2Own offered up $645,000, and with additional payments, potentially could have paid out more than a million dollars. Last year's contest sponsors ended up writing checks that totaled $850,000.

In 2014, hacking IE or Chrome paid $100,000, while Safari and Firefox exploits received $65,000 and $50,000, respectively.

One researcher put his take on the smaller prize pool on Twitter. "This year's #Pwn2Own offers reduced prices, because exploiting the latest browsers on latest OS has become less difficult," tweeted Stefan Esser of the German security firm SektionEins.

As was the case last year, Pwn2Own will use a random drawing to decide the order of attempts if multiple researchers try to tackle a single target. The researcher whose name is drawn first will have 30 minutes to exploit the browser or plug-in; if they are unsuccessful, the next researcher steps up.

TippingPoint and its ZDI bounty program have sponsored or co-sponsored Pwn2Own since its 2007 inception. After researchers hand over the vulnerabilities they used to hack targets -- and their exploit code -- ZDI confirms the results, then passes the information to the pertinent vendors, which typically have representatives on-site, ready to start the patching process.

Pwn2Own has always taken place at the CanSecWest security conference, hosted in Vancouver, British Columbia. This year, CanSecWest runs March 18-20.

ZDI has posted the contest rules on its website.

(www.computerworld.com)

Gregg Keizer