This year participants will have to provide vulnerability details to ZDI
HP’s DVLabs Zero Day Initiative (ZDI) has revealed some details about this year’s Pwn2Own competition. Unlike previous editions, Pwn2Own 2013 will not focus only on web browser vulnerabilities, but also on browser plug-in flaws.The contest will take place in Vancouver, British Columbia, on March 6, 7 and 8, during the CanSecWest 2013 security conference.
In the web browser category, the first contestant to successfully compromise Chrome on Windows 7 will receive $100,000 (75,000 EUR).
For compromising IE on Windows 8, the prize is $100,000 (75,000 EUR), and for hacking Firefox on Windows 7, hackers will get $60,000 (45,000 EUR). A working exploit against Safari on OS X Mountain Lion is worth $65,000 (49,000 EUR).
Successful attacks on Internet Explorer 9 on Windows 7 are worth $70,000 (52,000 EUR) for Adobe Reader XI and Adobe Flash, and $20,000 (15,000 EUR) for Oracle Java.
All the operating systems will be fully patched and the targeted applications will run in their default configurations. If a sandbox is present, such as in the case of Chrome, it must be escaped in order for the attack to be valid.
In the previous edition, in which French security firm VUPEN took home a large chunk of the prize money, contestants weren’t required to provide ZDI with all the details of the exploit, but in Pwn2Own 2013 things seem to have changed.
Winners receive the prize money only after revealing all the details of the vulnerabilities they used in the attack. All the proof-of-concepts will be provided to the affected vendors, but they will become the property of HP.
Those interested in participating are required to pre-register by contacting ZDI at firstname.lastname@example.org. Contest rules are available on TippingPoint’s DVLabs website.