HP TippingPoint, the long-time organiser of the annual Pwn2Own hacking contest, announced on Friday that it will offer cash awards exceeding half a million dollars for this year’s competition, more than five times the amount paid out last year.
The 2013 edition of the contest will offer $560,000 in potential prize money to hackers who demonstrate exploits of previously unknown vulnerabilities in Chrome, Firefox, Internet Explorer (IE), Safari, or the Adobe Reader, Adobe Flash or Oracle Java browser plug-ins.
Prizes will be awarded on a sliding schedule, with $100,000 for the first to hack Chrome on Windows 7 or IE10 on Windows 8. From there, payments will fall to $75,000 for IE9 and slide through a number of targets before ending at $20,000 for Java. Prizes will also be given for exploiting Adobe Flash and Adobe Reader ($70,000 each), Safari ($65,000) and Firefox ($60,000).
About the Java award, Kostya Kortchinsky, Researcher, Microsoft, tweeted, “ZDI giving out $20k for free,” referring to the Oracle software’s recent vulnerabilities.
Pwn2Own will run from March 6 to 8 at the CanSecWest security conference in Vancouver, Canada.
According to Brian Gorenc, Researcher, TippingPoint’s DVLabs, HP will sponsor this year’s Pwn2Own in conjunction with Google. Last year, Google was initially a co-sponsor, but withdrew over disagreements with TippingPoint about that year’s rules.
Google then ran its own hacking contest, dubbed Pwnium, at CanSecWest, where it handed out $120,000 to two researchers for exploiting Chrome.
This year’s contest is another revamp of the process and rules, the second in two years. The 2012 challenge used a complicated point system that awarded prizes to the researcher or team of researchers who exploited the most targets during a three-day stretch. It also challenged hackers to devise exploits on the spot.
With 2013’s Pwn2Own, TippingPoint has essentially dumped last year’s model and returned to earlier contest rules. This means that researchers will draw their order of appearance before the contest begins, each will have 30 minutes to try his or her luck, and the first to exploit a given target wins the prize.
Another change from last year is that researchers must provide TippingPoint with a fully-functional exploit and all the details of the vulnerability used in the attack. This differs from last year, when Google backed out, because Pwn2Own did not require hackers to divulge full exploits, or all of the bugs used, so that vendors, including Google, could then fix the flaws.
The rule changes and the large infusion of cash hint that Google returned to Pwn2Own sponsorship only after it convinced TippingPoint to revise the exploit disclosure policy. Yesterday, Google declined to comment on whether it would again run a Pwnium contest at CanSecWest, but did confirm it will host its Chrome-specific challenge at some point in 2013.
However, researchers are only looking to Pwn2Own, with dollar signs in their eyes, for the time being, simply because the prize fund is so large.
The $100,000 prize for an exploit of Chrome or IE10, for example, was 67% more than Google paid last year in its inaugural Pwnium contest, and over six times the maximum paid at Pwn2Own in 2011 for hacking a desktop browser.
However, Charlie Miller, who won prizes at Pwn2Own four years in a row, bemoaned the high awards.
“I have to say the Pwn2Own prize money is serious,” Miller tweeted on Thursday. “I feel like a 1950s pro athlete wondering why current athletes are paid so much.”
Miller, who won at Pwn2Own while he was a security consultant, now works for Twitter.
Others agreed with Miller’s line of thought, with Larry Seltzer, a long-time security reporter and now the editorial director of Byte, chiming in with, “They’re all using exploit-enhancing drugs these days.”
TippingPoint has published the 2103 Pwn2Own rules on its website, and will provide updates during the contest via a dedicated Twitter account.