The Pwnie Awards are given out each year at the Black Hat USA conference that takes place at the beginning of August. Back in June, the organization behind these awards started taking nominations from the public.
Yesterday, the organization published the full list of nominees for this year's Pwnie Awards, which includes 15 categories, as follows:
Pwnie for Best Server-Side Bug
Nominees:
- Cisco ASA IKEv1/IKEv2 Fragmentation Heap Buffer Overflow (CVE-2016-1287)
- ImageTragick (CVE-2016–3714)
- Stagefright via MMS (CVE-2015-1538)
- glibc getaddrinfo stack-based buffer overflow (CVE-2015-7547)
- Apache Commons Collections Java Object Deserialization RCE (CVE-2015-4852)
- Samsung Galaxy Edge Baseband Stack Overflow (CVE-2015-8546)
Pwnie for Best Client-Side Bug
Nominees:
- MS16-006 Silverlight BinaryReader Out-Of-Bounds Write RCE (CVE-2016-0034)
- glibc getaddrinfo stack-based buffer overflow (CVE-2015-7547)
- MS15-131 Microsoft Office RCE Vulnerability (BadWinmail) (CVE-2015-6172)
- MS15-078 OpenType Font Driver Vulnerability (CVE-2015-2426)
- Stagefright via Web Browser (CVE-2015-1538)
Pwnie for Best Privilege Escalation Bug
Nominees:
- SETFKEY FreeBSD Kernel Vulnerability (CVE-2016-1886)
- Widevine QSEE TrustZone Privilege Escalation (CVE-2015-6639)
- AMD Piledriver Microcode VM Ring 3 to Host Ring 0
- Linux iovec overrun memory corruption (CVE-2015-1805)
- Apple Mac OS X WindowServer Use-After-Free (CVE-2016-1804)
Pwnie for Best Cryptographic Attack (new for 2016)
Nominees:
- Dancing on the Lip of the Volcano: Chosen Ciphertext Attacks on Apple iMessage
- Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS
- BlueCoat's Intermediate CA Certificate
- Got HW crypto? On the (in)security of a Self-Encrypting Drives series
- OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701)
- SSLv2 Crypto attack (DROWN Attack) (CVE-2016-0800)
Pwnie for Best Junk or Stunt Hack (new for 2016)
Nominees:
- WhatsApp Message Hacked By John McAfee And Crew
- Remotely Killing a Jeep on the Highway
- Hacking a Linux-Powered Rifle
- "60 Minutes" Hacking Your Phone with a Hacked Phone
- Security Analysis of Emerging Smart Home Applications
Pwnie for Best Branding
Nominees (with the best sites and logos):
- Badlock Samba bug (CVE-2016-2118)
- Mousejack wireless keystroke injection bug
- MySQL crypto downgrade (CVE-2015-3152)
- SSLv2 Cryto attack [DROWN Attack] (CVE-2016-0800)
Pwnie for Best Song
Nominees:
- Host Unknown - Accepted the Risk
- AMETIX - The Geek Song
- Katie Moussouris - Cyber-lair
- fbz- Root Rights are a Grrl's Best Friend
Pwnie for Epic Achievement (new for 2016)
This award will be handed out to researchers, attackers, defenders, executives, journalists, or even Internet trolls who have achieved a never-before-seen level of notoriety thanks to their research, work, or stunts.
Nominees:
- Marc Rogers aka CJ (hacker consulting on Mr. Robot TV show)
- Threatbutt Danger Zone Incident Retort 2016 (CVE-20*-*) [trolling]
- Katie Moussouris (for helping create the Department of Defence Bug Bounty)
- Tavis Ormandy (for hacking almost every antivirus program in the last year)
- Tesla for patching the Tesla Model S without a recall
Pwnie for Most Innovative Research
Nominees:
- RAP
- Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector
- A2: Analog Malicious Hardware
- Blinded random corruption attacks
- Exceptions in Exceptions - Abusing Special Cases in System Exception Handling to Achieve Unbelievable Vulnerability Exploitation
Pwnie for Most Over-hyped Bug
Nominees:
- Stagefright (CVE-2015-1538)
- Badlock (CVE-2016-0128)
- Linux Keyring Reference Leak (CVE-2016-0728)
Pwnie for Epic 0wnage
Nominees:
- Weev PrinterGate
- Ubiquiti worm
- The DAO Heist
- Stealth Falcon (The UAE Government)
- The Juniper Backdoor
- Ransomware (in general)
Lifetime Achievement Award
Nominees:
- Alex Ionescu
- Jayson Street
- Elias Levy
- Mudge (Peiter C. Zatko)
- Marc Rogers aka CJunky
- James "Myrcurial" Arlen
- Felix "FX" Lindner
- The Grugq
Not announced
Nominations for Pwnie for Best Backdoor (new for 2016) and Pwnie for Lamest Vendor Response have not been announced yet. The Pwnie for Most Epic FAIL will not be awarded this year. Apparently, people responded to security incidents the right way.