We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Pwn2Own, Pwnium pay researchers $210K for browser bugs

Last day of hacking events shake loose bugs in Firefox, Chrome

Researchers last Friday unveiled zero-day vulnerabilities in Google's Chrome and Mozilla's Firefox during the final day of two hacking challenges that awarded $210,000 to contestants.

The Chrome vulnerabilities were submitted by a teenage researcher identified as "PinkiePie," who was only the second to participate in the Google-sponsored "Pwnium" event.

After verifying that PinkiePie's work met Pwnium's requirement for a "full Chrome exploit" -- meaning that the two bugs were in the browser's own code and included a "sandbox escape" exploit -- Google awarded him $60,000.

It was the second such payout during the three-day event. On Wednesday, Google paid $60,000 to Sergey Glazunov, a frequent recipient of bounties paid by Google throughout the year.

In announcing PinkiePie's win, Jason Kersey, a Chrome program manager, called the researchers' exploits "works of art." Kersey also promised that Google would publish technical write-ups of the two Pwnium submissions.

On Saturday, Google patched Chrome to fix PinkiePie's vulnerabilities, the second time in three days that it updated the browser within 24 hours of obtaining bugs.

Also on Friday, HP TippingPoint's Zero Day Initiative (ZDI) closed out its "Pwn2Own" hacking contest, which like Pwnium ran March 7-9 at the CanSecWest security conference in Vancouver, British Columbia.

On the last day of Pwn2Own, a two-man team -- Vincenzo Iozzo and Willem Pinckaers -- exploited a Firefox zero-day to take the contest's $30,000 second-place prize.

Iozzo and Pinckaers, who also cranked out four other exploits of previously-patched vulnerabilities during Pwn2Own's on-site component, are no strangers to the contest. Last year, they made up two-thirds of a team that won $15,000 by hacking a BlackBerry smartphone.

A team from French security company Vupen won Pwn2Own's first-place prize of $60,000 by hacking Chrome and Microsoft's Internet Explorer earlier in the week.

ZDI did not award Pwn2Own's third-place prize of $15,000 because only two teams participated in the contest.

All told, the two events paid out $210,000 in prize money, a record at CanSecWest.

The dueling challenges were not on the original agenda for CanSecWest: A week before the conference opened, Google withdrew its Pwn2Own sponsorship over objections to that contest's practice of not requiring researchers to divulge "sandbox-escape" exploits.

Google then announced its own Pwnium, and pledged to pay up to $1 million for hacks that exploited Chrome zero-day vulnerabilities.

The code execution vulnerabilities used by the Vupen and Iozzo-Pinckaers teams during Pwn2Own will be reported to vendors today, ZDI said on Twitter last Friday.

The only browser not targeted at Pwn2Own was Apple's Safari, which went untouched for the first time in the contest's six-year history.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , or subscribe to Gregg's RSS feed . His e-mail address is [email protected] .

Read more about security in Computerworld's Security Topic Center.

IDG UK Sites

Acer Aspire R11 review: Hands-on with the 360 laptop and tablet convertible

IDG UK Sites

Apple Watch release day: Twitter reacts

IDG UK Sites

See how Framestore created a shape-shifting, oil and metal based creature for Shell

IDG UK Sites

Apple Watch buying guide, price list & where to buy today: Which Apple Watch model, size, material,?......