Pwn2Own hacking contest shrinks exploit prize pool

Hewlett-Packard's Zero Day Initiative today outlined the rules for its annual hacking contest, Pwn2Own, which will run March 18-19 with $465,000 in prize money.

Hewlett-Packard's Zero Day Initiative (ZDI) today outlined the rules for its annual hacking contest, Pwn2Own, which will run March 18-19 with $465,000 in prize money on the table.

The prize pool for this year's edition is 28% smaller than the record $645,000 of 2014.

ZDI is HP's bug-bounty program, run by its TippingPoint group, a maker of corporate intrusion prevention system (IPS) and firewall appliances.

The 2015 edition of Pwn2Own will offer cash awards to researchers who demonstrate exploits of previously-unknown vulnerabilities in Google's Chrome, Mozilla's Firefox, Microsoft's Internet Explorer 11 (IE11) or Apple's Safari browsers, or the Adobe Reader or Adobe Flash Player browser plug-ins.

Those targets are the same as the last two years, with the exception of Oracle's Java, which was dropped for 2015's contest.

Prizes will be awarded on a schedule that implicitly ranks the security prowess of each target. The first to hack Chrome, for example, will win $75,000, while the first to knock down IE11 will receive $65,000. Researchers who successfully exploit Reader or Flash Player will get $60,000, with the remaining Safari and Firefox paying $50,000 and $30,000, respectively.

In ZDI's mind, then, Firefox is at least twice as easy to hack as Chrome.

Also on the prize board is a series of $25,000 bonus payments for achieving system-level code execution. Each of the five Windows-based targets -- all but Safari, which must be exploited on Apple's OS X -- is eligible for the bonus.

Google, which again has partnered with HP to put up the prize money, will also pay $10,000 for any entry -- not just the first -- that exploits the latest release of Chrome 42. That browser won't be in the most-polished "Stable" build channel by Pwn2Own -- currently, Chrome Stable is at v.40 -- but Google is putting it on the target range nonetheless.

The total up for grabs is significantly less than in 2014, when Pwn2Own offered up $645,000, and with additional payments, potentially could have paid out more than a million dollars. Last year's contest sponsors ended up writing checks that totaled $850,000.

In 2014, hacking IE or Chrome paid $100,000, while Safari and Firefox exploits received $65,000 and $50,000, respectively.

One researcher put his take on the smaller prize pool on Twitter. "This year's #Pwn2Own offers reduced prices, because exploiting the latest browsers on latest OS has become less difficult," tweeted Stefan Esser of the German security firm SektionEins.

As was the case last year, Pwn2Own will use a random drawing to decide the order of attempts if multiple researchers try to tackle a single target. The researcher whose name is drawn first will have 30 minutes to exploit the browser or plug-in; if they are unsuccessful, the next researcher steps up.

TippingPoint and its ZDI bounty program have sponsored or co-sponsored Pwn2Own since its 2007 inception. After researchers hand over the vulnerabilities they used to hack targets -- and their exploit code -- ZDI confirms the results, then passes the information to the pertinent vendors, which typically have representatives on-site, ready to start the patching process.

Pwn2Own has always taken place at the CanSecWest security conference, hosted in Vancouver, British Columbia. This year, CanSecWest runs March 18-20.

ZDI has posted the contest rules on its website.

Join the CSO newsletter!

Error: Please check your email address.

Tags antispamGoogleMicrosoftsecurityOracleHewlett-PackardHPAppleMalware & VulnerabilitiesFirefox

More about AppleGoogleHPIPSMicrosoftMozillaOracleTippingPoint

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts