For the 10th anniversary of the Pwn2Own hacking contest, Trend Micro and the Zero Day Initiative (ZDI) have introduced new exploit categories and they are prepared to offer more than $1 million worth of prizes.
Pwn2Own 2017 will take place in mid-March alongside the CanSecWest conference in Vancouver, Canada. Organizers have announced five major categories for the event: virtual machine (VM) escapes, web browsers and plugins, local privilege escalation, enterprise applications, and server side.
VM escapes were first introduced at Pwn2Own 2016 with VMware, but none of the contestants demonstrated a successful exploit. Researchers did manage to hack VMware Workstation and earned $150,000 in November at the PwnFest competition in South Korea.
At this year’s Pwn2Own, experts can earn $100,000 if they manage to execute arbitrary code on the host from a non-admin account in the guest operating system. In addition to VMware Workstation, Microsoft Hyper-V has also been added to the list of targets.
In the web browsers category, Mozilla Firefox has been reintroduced this year and hacking it can earn researchers $30,000. Exploits targeting Microsoft Edge and Google Chrome are worth $80,000, while Apple Safari and Adobe Flash Player exploits are worth $50,000.
Bonuses will be awarded for SYSTEM-level code execution on Windows ($30,000) and Mac OS X ($20,000), and VM escapes ($100,000). The bonuses are cumulative so, for example, if a contestant hacks Chrome, elevates privileges to SYSTEM and escapes the VM, they can earn $210,000 in one go.
Considering that local privilege escalation vulnerabilities can be highly useful for a piece of malware, these types of flaws get their own category this year, with prizes of $30,000 for Windows 10, $20,000 for macOS and $15,000 for Ubuntu Desktop.
The “enterprise applications” category includes Adobe Reader and the Microsoft Office apps Word, Excel and PowerPoint. Hackers can earn $50,000 for vulnerabilities affecting these applications.
The most valuable exploits are in the “server side” category. Hackers can earn $200,000 for successful exploits against Apache Web Server running on Ubuntu Server.
Each exploit will also be rewarded with Master of Pwn points. The contestant with the highest number of total points will receive 65,000 ZDI reward points, which are worth roughly $25,000.
Registration for Pwn2Own 2017 closes on March 12 at 5 PM Pacific Time. Additional information and rules are available on ZDI’s website.