Plug-in pwning challenge brings Pwn2Own prizes to $US560k
Adobe and Java under the spotlight
The organizers of the Pwn2Own hacking competition held at the annual CanSecWest security conference have upped the prize pool to $US560,000 and will now be offering prizes for hacking web plug-ins from Adobe and Oracle.
The contest, which dropped mobile phone hacking last year, has added web plug-in hacking to the prize pool. Contestants get $70,000 apiece for cracking Adobe Reader and Flash, and $20,000 for getting past Java. Based on the latter's recent parlous performance in the security arena that price discount seems justified.
"We've added browser plug-ins as a reflection of their increasing popularity as an attack vector," said Brian Gorenc, manager of vulnerability research at Pwn2Own sponsors HP DVLabs. "We want to demonstrate new hacking areas and design new mitigation techniques."
For the more traditional hacks against browsers, a working Chrome exploit for Windows 7 will net $100,000, with the same again for an IE10 hack in Windows 8 or $75,000 for breaking IE9 in Windows 7. A Safari exploit in OSX Mountain Lion is worth $65,000 and Firefox on Windows 7 just $60,000, and all hacks must be completed in a 30 minute time frame.
"As always, we look forward to working with anyone who can help us make our products better to help protect our users," an Adobe spokeswoman told El Reg.
As ever with the Pwn2Own competition, the winning hackers also get the laptop used in the successful hack. HP, meanwhile, is asking for the full details of the exploits used and the technique followed in a successful hit, which it will share with the cracked software's developer. This latest rule change has some security researchers worried.
"If the full exploit & technique are shared with the vendor, we will probably *not* enter, or we have to use some tricks ;-)," said last year's winner Chaouki Bekrar, CEO of security research firm VUPEN, on Twitter. ®
Re: Cake crumbs?
That's a big part of the problem it's kind of like a medical company that has found the cure for a disease but also makes drugs to treat the disease itself. They make more money in the long run treating the symptoms than actually curing the disease or in this case of security researchers selling prevention and detection tools, consulting services, selling the tools to exploit themselves versus telling the vendors how to fix the problems directly.
I understand the financial motivation of not wanting to disclose it all, but I think the real purpose of these competitions is for vendors to learn about potential weaknesses and ultimately FIX the problems to make the product better for everyone. Your getting cash, prizes, the priceless free publicity from the event, plus the good karma from helping make the products safer for the masses. I think all that should be more than enough to compensate you for telling them how you pwned their product but I guess that's why I'm not filthy rich... :-)
"If the full exploit & technique are shared with the vendor, we will probably *not* enter.."
At first I thought that comment was a little selfish, especially if you get 100k for a demo. Then however, you ONLY get 100k for a demo, and that seems like an extremely fair price for a demo. The demo will lean heavily with hints on how to fix the problem, so 100k might be too cheap! Not too mention, the respective company got of really cheap for what could of been millions in R&D. So I can see why honest people wouldn't want to disclose the entire process, which is essentially doing a possible multi-million dollar job for just a crumb of the cake.