Hackers Offered Over $1 Million at Pwn2Own 2017

For the 10th anniversary of the Pwn2Own hacking contest, Trend Micro and the Zero Day Initiative (ZDI) have introduced new exploit categories and they are prepared to offer more than $1 million worth of prizes.

Pwn2Own 2017 will take place in mid-March alongside the CanSecWest conference in Vancouver, Canada. Organizers have announced five major categories for the event: virtual machine (VM) escapes, web browsers and plugins, local privilege escalation, enterprise applications, and server side.

VM escapes were first introduced at Pwn2Own 2016 with VMware, but none of the contestants demonstrated a successful exploit. Researchers did manage to hack VMware Workstation and earned $150,000 in November at the PwnFest competition in South Korea.

At this year’s Pwn2Own, experts can earn $100,000 if they manage to execute arbitrary code on the host from a non-admin account in the guest operating system. In addition to VMware Workstation, Microsoft Hyper-V has also been added to the list of targets.

In the web browsers category, Mozilla Firefox has been reintroduced this year and hacking it can earn researchers $30,000. Exploits targeting Microsoft Edge and Google Chrome are worth $80,000, while Apple Safari and Adobe Flash Player exploits are worth $50,000.

Bonuses will be awarded for SYSTEM-level code execution on Windows ($30,000) and Mac OS X ($20,000), and VM escapes ($100,000). The bonuses are cumulative so, for example, if a contestant hacks Chrome, elevates privileges to SYSTEM and escapes the VM, they can earn $210,000 in one go.

Considering that local privilege escalation vulnerabilities can be highly useful for a piece of malware, these types of flaws get their own category this year, with prizes of $30,000 for Windows 10, $20,000 for macOS and $15,000 for Ubuntu Desktop.

The “enterprise applications” category includes Adobe Reader and the Microsoft Office apps Word, Excel and PowerPoint. Hackers can earn $50,000 for vulnerabilities affecting these applications.

The most valuable exploits are in the “server side” category. Hackers can earn $200,000 for successful exploits against Apache Web Server running on Ubuntu Server.

Each exploit will also be rewarded with Master of Pwn points. The contestant with the highest number of total points will receive 65,000 ZDI reward points, which are worth roughly $25,000.

Registration for Pwn2Own 2017 closes on March 12 at 5 PM Pacific Time. Additional information and rules are available on ZDI’s website.

Related: Pwn2Own 2016 – Hackers Earn $460,000 for 21 New Flaws

Related: Nexus 6P, iPhone 6S Hacked at Mobile Pwn2Own 2016

Related: Researchers Awarded $552,500 at Pwn2Own 2015

view counter

Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:

Tags: