The annual Pwn2Own browser hacking competition that takes place at the CanSecWest conference is one of the premier security events in any given year, as security researchers attempt to demonstrate in real time zero-day exploits against modern Web browsers. This year there was initial concern that the event wouldn’t happen, as the Zero Day Initiative (ZDI), which is the primary sponsor of Pwn2Own, is currently in a state of transition.
ZDI currently is part of Hewlett Packard Enterprise (HPE), but that will change this year, as the TippingPoint division of HPE, which includes ZDI, is being sold to security vendor Trend Micro in a deal first announced in October 2015 for $300 million. Since ZDI is in transition, HPE and Trend Micro will jointly sponsor the 2016 Pwn2Own event taking place March 16-17.
“Bringing both HPE and Trend Micro together for Pwn2Own has been a lot of fun,” Brian Gorenc, manager of Vulnerability Research at HPE, told eWEEK.
Since Trend Micro’s acquisition of TippingPoint has not yet officially closed, it was determined that the best course of action was to do a joint sponsorship of the event, Gorenc said. As such, no matter who owns TippingPoint when the Pwn2Own contest starts, both Trend Micro and HPE will have an interest in what’s going on at the event.
At the 2015 event, HP awarded a total of $557,500 in prize money to researchers for exploiting previously unknown vulnerabilities in Web browsers. The prize pool for the 2016 event will be in the same range, though at this point it’s not entirely clear which vendor will pay for the prizes.
“We don’t discuss publicly how the sponsorship works, but the money is all accounted for and we’re ready to give it all away if the exploits come in,” Gorenc said.
For the 2016 event, Pwn2Own will award $65,000 for exploits against Google Chrome running on fully patched versions of Windows 10, running Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). The same amount will be paid for an exploit on Microsoft’s new Edge browser. Pwn2Own will award an additional $60,000 for Adobe Flash exploits running Microsoft Edge. Finally on Mac OS X, there is a $40,000 award for exploiting Apple’s Safari browser.
There are a number of additional opportunities to win even more prize money. One award will go to a researcher who is able to execute a hypervisor escape from the VMware Workstation virtual machine on which the Windows-based browsers will be running. The promise of using a virtual machine is that it isolates the running application and does not allow processes to “escape” and impact other processes that could be running on the same system host.
“This year we also added the Master of Pwn idea, which is the person that will be the grand champion of the entire event,” Gorenc said.
In the past, he said, whoever won the most money was unofficially understood to be the grand champion. This year, Pwn2Own will formalize the process to crown the Master of Pwn by having a point system for vulnerabilities disclosed at the event. The winner will earn 65,000 ZDI reward points, which is worth approximately $25,000.
One change in the 2016 event is that the Mozilla Firefox Web browser is no longer part of the contest.
“We wanted to focus on the browsers that have made serious security improvements in the last year,” Gorenc said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.