28 February 2012

Earn While Hack

The contest will take place at the CanSecWest conference in Vancouver, British Columbia during the 7th, 8th, and 9th of March.

There will be 4 targets this year, the most popular browsers on the market:

Official Site Here 

Microsoft Internet Explorer

Apple Safari

Google Chrome

Mozilla Firefox

The targets will be running on the latest, fully patched version of either Windows 7 or Lion.

The contest will be point-based and the winners will be the top three point-holders at the end of the final day*. Any contestant who demonstrates a working 0day exploit against the latest version of the browser will be awarded 32 points. When the contest begins we will be announcing 2 vulnerabilities per target that were patched in recent years. The first contestant (or team) who is able to write an exploit for the announced vulnerabilities will be awarded 10, 9, or 8 points depending on the day the exploit is demonstrated.

Unlike last year, the browsers will be eligible for all attacks (and subsequent points) throughout the contest.

*No team or individual can win without having demonstrated at least 1 0day vulnerability.


The first place winner will receive a payment from Hewlett-Packard in the amount of $60,000 USD. Second place will be awarded $30,000 and third place, $15,000 USD. Additionally, the laptops themselves will be awarded as prizes to the winners at the end of the contest.

With regard to Chrome, Google is offering the following cash prizes:

Full Chrome pwn: uses only bugs in Chrome itself to gain full unsandboxed code execution. $20,000 USD per fully disjoint bug set.

Partial Chrome pwn: uses bugs in Chrome and bugs in the operating system to gain full unsandboxed code execution. $10,000 USD per fully disjoint bug set.

"Non-Chrome pwn": uses only OS bugs for the pwn. e.g. Windows kernel font parsing vulns, driver vulns, $0 USD (not eligible).

Technical Details:

0day Vulnerabilities:

The browsers and corresponding operating systems will be fully updated on first day of the contest. Contestants can request to demonstrate a vulnerability at any time during the offical CanSecWest conference hours. A successful compromise of a fully-patched browser will be worth 32 points.

Public Vulnerabilities:

The browsers will be installed on Windows XP (for Firefox, IE, and Chrome) and Snow Leopard (for Safari). That way, the only exploit mitigation that must be overcome is DEP (no ASLR). Also, we will not require a sandbox or protected mode escape for any of the public vulnerability exploits.

To get the competitors started, we will be distributing virtual machine images with the software installed on the proper operating system as well as a proof of concept trigger that will cause the browser to fault.

On the first day (March 7th) a successful compromise using one of the public vulnerabilities will be worth 10 points. On the second day (March 8th) such an attack will be worth 9 points. On the third day, 8 points. This decaying point structure is intended to reduce the likelihood of a tie.

The specific browser versions will be announced on the first day of the contest.

All vulnerabilities demonstrated will be subject to confirmation by the Pwn2Own judges before being officially recognized. This is intended to ensure that duplicate vulnerabilities are not utilized by multiple teams, as well as more complicated situations such as a vulnerability being used against a browser that includes Webkit, but may not be synced with the Webkit nightly trunk (not eligible).

For any inquiries, please visit the contact page.