This Years Pwn2Own Hackfest Will Offer Up to $2 Million in Rewards

  /     /     /  
Publicated : 22/11/2024   Category : security


This Years Pwn2Own Hackfest Will Offer Up to $2 Million in Rewards


Microsoft is a partner at annual contest for the first time.



In a sign of just how much value software vendors have begun attaching to crowdsourced security research, up to $2 million will be up for grabs at the Pwn2Own challenge at the CanSecWest conference in Vancouver, Canada, this March.
The amount is the highest ever offered in rewards at the annual hacking contest. It reflects contributions from VMware and Microsoft, which for the first time will
participate as a partner
at the event, along with Trend Micros Zero Day Initiative (ZDI).
Also for the first time, the Pwn2Own contest will offer a Windows Insider Preview challenge in which participants will have an opportunity to take a crack at prerelease versions of Windows products configured by Microsoft and running on the companys hardware.
The challenge will use the Windows 10 RS4 (Redstone 4) Insider Preview build as the base platform and give bug hunters an opportunity to match their wits against some of Microsofts flagship security technologies.
Microsoft has been a target before, but they have never participated as a partner, says Dustin Childs, communications manager for ZDI. Were excited to have Microsoft as a partner and VMware as a sponsor for this years event. It shows vendors recognize the value provided by the contest, he says.
The annual Pwn2Own contest has become something of an annual pilgrimage for many security researchers from around the world. The event provides an opportunity for them to essentially win rewards for hacking into widely used technology products using previously unknown exploits. Bugs and exploits that are uncovered in target products at the event are sold or shared with the respective security vendors.
Last year, security researchers, many of whom worked in teams, collected over $830,000 in total payouts for discovering various exploits in target products such as VMware Workstation, Microsoft Edge, Google Chrome, Microsoft Hyper-V, and Mozillas Firefox. Researchers participating at the event uncovered a total of 51 different zero-day vulnerabilities.
Since Pwn2Own launched in 2007 it has gotten progressively bigger, more formal, and more challenging for hackers. For some vendors the event is a testing ground of sorts for their products and an opportunity to discover security issues in their products before attackers exploit the flaws.
From initially focusing on Web browsers and operating systems, Pwn2Own has broadened to include multiple technologies such as virtualization, cloud, and mobile. Contestants these days need to do a lot more than just find a single vulnerability to win money. Rewards typically require researchers to string together multiple exploits.
The first Pwn2Own required just one vulnerability to exploit an Apple Macbook, says Childs. A successful entry this year will require multiple exploits, sandbox escapes, mitigation bypasses, and other advanced techniques. In other words, its much more difficult.
This years event offers contestants targets in five separate categories: virtualization, enterprise applications, Web browsers, servers, and Windows Insider Preview.
This Marchs Pwn2Own event expands the virtualization category by adding Oracles VirtualBox as a target for contestants. The three challenges that Microsoft will offer as part of its Windows Insider Preview Challenge are also new.
Award amounts in the various categories vary depending on the target and level of difficulty.
For instance, contestants who can successfully execute a certain type of attack against Microsofts Hyper-V client can earn up to $150,000 in the virtualization category. A successful sandbox escape exploit on Google Chrome can fetch $60,000, while a Windows Kernel Escalation of Privilege exploit on Edge can garner $70,000. Rewards are higher for server exploits, at $100,000, while any team that can pull off a complete Hyper-V escape in kernel or hypervisor mode can make $250,000.
This years largest awards are reserved for guest-to-host escapes in their various forms, Childs notes.
Related content:
You Break It, They Buy It: Economics, Motivations Behind Bug Bounty Hunting
Bug Bounty Programs Are Growing Up Fast and Paying More
A Bug Bounty Reality Check
Profiles of the Top 7 Bug Hunters from Around the Globe
 

Last News

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
This Years Pwn2Own Hackfest Will Offer Up to $2 Million in Rewards