Pwn2Own hack contest puts record $645K on prize table

New grand prize of $150,000 requires researchers to deal with Microsoft's EMET anti-exploit toolkit

Hewlett-Packard's Zero Day Initiative (ZDI) yesterday spelled out the rules for its March hacking contest, Pwn2Own, which will put two-thirds of a million dollars in prize money on the table for researchers who can hack the biggest browsers and most popular plug-ins.

ZDI is HP's bug-bounty program, run by its TippingPoint division, a maker of intrusion prevention system (IPS) and firewall appliances for corporate networks.

The 2014 edition of Pwn2Own will offer $645,000 in potential awards to hackers who demonstrate exploits of previously-unknown vulnerabilities in Google's Chrome, Mozilla's Firefox, Microsoft's Internet Explorer (IE) or Apple's Safari, or the Adobe Reader, Adobe Flash or Oracle Java browser plug-ins.

Those targets were also the focus of last year's challenge.

Prizes will be awarded on a sliding schedule, with $100,000 for the first to hack Chrome or IE11 on Windows 8.1. Payments will drop to $75,000 for Adobe Flash or Reader running in IE11, then slide through other targets before ending at $30,000 for Java. Prizes will also be given for exploiting Safari ($65,000) and Firefox ($50,000).

A new $150,000 prize will also be at stake for what HP called the "Exploit Unicorn," a multi-exploit string able to not only hack IE11 on Windows 8.1, but also obtain system-level code execution when Microsoft's Enhanced Mitigation Experience Toolkit (EMET), a utility that manually enables anti-exploit technologies such as ASLR (address space layout randomization) and DEP (data execution prevention) for specific applications, is enabled.

"We're trying to highlight the prowess of the best researchers in the world," said Brian Gorenc, manager of vulnerability research for ZDI, in an interview Friday, referring to the grand prize. "We know that researchers are looking at this [EMET], and we wanted to make this extra difficult."

To grab the $150,000, researchers will have to bypass IE11's "sandbox," a defensive technology that isolates the browser from the rest of the operating system, then leverage at least one additional vulnerability to gain system access -- all while EMET is in action.

While Gorenc acknowledged that the addition of EMET is in part an artificial hurdle designed to make exploitation more difficult, there's some method to the madness: Microsoft has increasingly pitched EMET, even to individual users, as a stop-gap defense to use between the time a new vulnerability has been discovered and when the bug is patched.

Pwn2Own, which is in its eighth year, will run March 12-13 at the CanSecWest security conference in Vancouver, British Columbia. Google will also be running its own Pwnium contest -- which will pit researchers against its Chrome OS -- at CanSecWest, and will be kicking in 25% of the prize money for Pwn2Own.

This year's Pwn2Own will again use a random drawing to choose the order that researchers tackle a target. Each researcher or team of researchers will have 30 minutes to demonstrate their exploit. If successful, the prize money will be awarded and researchers who didn't get a favorable draw will be out of luck.

"The #Pwn2own random drawing shit is back this year, a very bad rule that was removed last year where all pwners were allowed to pwn," said Chaouki Bekrar, CEO of French vulnerability research lab and zero-day seller Vupen, in a tweet yesterday.

Actually, Pwn2Own used the drawing in 2013, but during the challenge the prize pool was expanded to give every successful exploit the winning prize money, which resulted in several earning $20,000 each for hacking Java.

Gorenc said the same may happen at this year's contest, depending on how many register for the contest.

Pwn2Own has been dominated in recent years by teams to the detriment of individuals who cannot compete with groups of well-armed collectives, such as the team from Vupen, which walked off with $250,000 in prize money last year for hacking IE10, Firefox, Flash and Java.

"I'm trying to remember, who has won pwn2own by themselves besides me, @dinodaizovi, and @nils?" asked Charlie Miller, a Twitter researcher who has won four times at Pwn2Own, most recently in 2011. "The team aspect takes the fun out if it [in my opinion]."

Another individual winner, Peter Vreugdenhil, who took home $10,000 in 2010, now works for Exodus Intelligence, a firm that includes Aaron Portnoy, who once ran Pwn2Own. Several others individually won prizes last year by hacking Adobe Reader and Oracle's Java.

Gorenc disagreed with Miller, and dismissed the idea that teams, especially large ones like Vupen's, skewed the contest. "Every year, we sit down and think about how to make Pwn2Own more interesting," said Gorenc. "Last year, we thought about [individuals versus teams] but just went forward with one contest. If people want to team up and split the prize money, that's up to them."

The total payout in 2013 was a record $480,000.

Bekrar also criticized the Exploit Unicorn challenge, arguing that the $150,000 prize is inadequate when three different zero-day vulnerabilities are needed to win. "Unicorn prize is useless as it requires to burn 3 0days: IE + sandbox bypass + kernel exploit, while two would be enough," he said on Twitter.

According to Gorenc, there is no three-vulnerability minimum for the grand prize. "If they can make it happen in just two, and followed the rules, we'd be glad to give them the prize," Gorenc said.

TippingPoint and its ZDI bounty program have sponsored or co-sponsored Pwn2Own since its 2007 inception. After researchers hand over the vulnerabilities they used to hack targets -- and their exploit code -- ZDI confirms the results, then passes the information to the pertinent vendors, which often have representatives on-site, ready to jump on patching.

"For us, the contest does multiple things," said Gorenc. "We get to understand and fix exploit techniques and vulnerabilities that are out there, and we get to deploy protections to our customers. It's a good value for us."

HP has published the 2104 Pwn2Own rules on its website, and will provide updates during the contest via a Twitter account and blog.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags business issuesCybercrime and HackingMalware and VulnerabilitiesExploits / vulnerabilitiesOraclemozillaHewlett-PackardHPAppleFirefoxGoogleMicrosoftsecurity

More about Adobe SystemsAppleExodusGoogleHewlett-Packard AustraliaHPIPSMicrosoftMozillaOracleTippingPointTippingPointToolkitTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts