Pwn2Own, run by Trend Micro’s Zero Day Initiative, is one of the industry’s toughest hacking contests. Started in 2007, Pwn2Own has become a platform for white hats to test their skills against various types of software and winners have been awarded more than $4 million over the lifetime of the program.
Pwn2Own Vancouver- Pwn2Own’s spring vulnerability research competition- will be conducted from March 20 to 22 at the CanSecWest conference. The contest has 5 categories, including web browsers, virtualization software, enterprise applications and server-side software. For the first time, the contest will feature an ‘Automotive’ category with the Tesla Model 3 chosen as a target by ZDI. Other targets include software products from Apple, Google, Microsoft, Mozilla, Oracle and VMware.
Let’s look into what's in store for every category:
“We develop our cars with the highest standards of safety in every respect, and our work with the security research community is invaluable to us”
-David Lau, Vice President of Vehicle Software at Tesla
Tesla has long involved itself with the hacker community since involvement since 2004 with its bug bounty program, that pays up to $15,000 for security exploits of its systems. In 2018 the company altered its warranty policy. The updated policy states that ‘as long as security exploits are found and reported within the limits outlined by the bug bounty program, the user's warranty will remain intact.’
At Pwn2Own Vancouver, researchers will have 6 focal points to discover/ research vulnerabilities in the car. While prizes for every category vary from $35,000 to $300,000, the winning security researcher can walk away with their very own Model 3.
Tesla’s line of action is an indication of its seriousness towards the security of its self-driving cars.
The targets for virtualization category includes:
Microsoft leads the virtualization category with a $250,000 award for a successful Hyper-V Client guest-to-host escalation. VMware is a Pwn2Own sponsor for 2019, and the VMware ESXi along with VMware Workstation will serve as targets with awards of $150,000 and $70,000 respectively. Oracle VirtualBox is included in this category with a prize of $35,000.
Within the browser category, we have:
We have seen a lot of web browsers getting hacked in 2018. It is great to see the biggest names in the tech industry coming forward to find vulnerabilities in their systems which can be saved from being exploited by malicious actors. A browser exploit for Firefox will be awarded $40,000. The award for exploiting Chrome is $80,000. Additionally, a contestant exploiting Edge with a Windows Defender Application Guard (WDAG) will be awarded with $80,000. Contestants exploiting Safari will be awarded $55,000 up to $65,000.
The Enterprise Application Category has the following targets:
The products offered by Adobe and Microsoft are used by almost everyone on a daily basis. Finding out a security flaw in this category would therefore safeguard the millions using these products regularly. A reader exploit will be awarded with $40,000, breaking into office is awarded at $60,000 and $100,000 for Outlook.
The final category in this contest includes Microsoft Windows RDP as a target. A successful RDP exploit will award the contestant with $150,000.
You can head over to Zero Day Initiatives official blog for more information on the contest, the rules, awards and much more.
Microsoft urgently releases Out-of-Band patch for an active Internet Explorer remote code execution zero-day vulnerability
NYT says Facebook has been disclosing personal data to Amazon, Microsoft, Apple and other tech giants; Facebook denies claims with obfuscating press release
AI chipmaking startup ‘Graphcore’ raises $200m from BMW, Microsoft, Bosch, Dell