HP TippingPoint Zero Day Initiative Modifies Pwn2Own Rules

HP’s TippingPoint Zero Day Initiative unveiled a new format for its popular Pwn2Own contest at the upcoming CanSecWest conference with new prizes and scoring system.

During Pwn2Own, contestants try to compromise fully-patched and up-to-date versions of Web browsers across various operating systems, including Internet Explorer, Firefox and Chrome running on Mac OS X or Windows machines. Last year’s contest included the four mobile platforms, BlackBerry, Android, iOS and Windows Phone. Participants try to compromise the machine with at least one zero-day vulnerability in a contest that runs over the course of three days.

Under the new format, each target in the contest will have point values assigned, according to TippingPoint Zero Day Initiative’s newly launched contest Website. Each successful compromise with a zero-day vulnerability will be worth 32 points. In the past, as soon as one researcher succeeded in the exploiting the targeted software, that aspect of the competition was over in a winner-take-all format. With the new points system, all the researchers would be able to take their turn, and the winners will win based on the number of points accumulated during the entire contest.

Mobile devices have been dropped altogether from this year’s Pwn2Own contest.

The Pwn2Own organizers will also announce two previously patched vulnerabilities for which contestants could write exploits over the three day contest. Points awarded for a successful exploit will decrease with each day, with 10 days on the first day, nine on the second day and eight points on the third. The exploits won’t need to use a sandbox escape or bypass protected mode in browsers.

The changes are intended to make the event fairer for everyone involved. The three researchers with the highest point totals at the end of the three-day contest will win the cash awards, of $60,000, $30,000 and $15,000, respectively. The prizes are coming from Hewlett Packard.

Contestants also win the laptops that they’re able to successfully compromise targets on. Google is offering prizes of $20,000 for every unique set of bugs that can compromise the Chrome browser without any platform-specific bugs. Participants will have to get full code execution outside of Chrome’s sandbox to claim the prizes.

Google will also pay $10,000 for Chrome vulnerabilities that get code execution outside of the sandbox but require an operating system specific vulnerability to work successfully.

All the vulnerabilities used in the contest become part of the ZDI database and immediately disclosed to the affected vendor. ZDI works with the vendor to get all the relevant information and helps get the security flaw fixed.

CanSecWest will be held March 7 to March 9 in Vancouver.