HP TippingPoint is revamping its annual Pwn2Own hacking contest, dropping attacks against popular smartphones to focus solely on browser-based vulnerabilities and offering higher cash payouts to winners.
This is really about keeping the prize amounts at a level that is competitive and the research teams feeling like they're getting something worthwhile for their efforts.
Aaron Portney, HP TippingPoint
The scaled-down contest, which will take place in March at the CanSecWest Conference in Vancouver, will completely focus on the browser and give hackers an opportunity to earn points over three days for performing successful attacks using a zero-day vulnerability. HP TippingPoint is rewarding $105,000 in cash, divided between first, second and third place winners. In addition, Google is participating for the second year in a row, offering $10,000 and $20,000 vulnerability payouts to researchers who can successfully demonstrate an exploit using flaws in the Chrome browser.
Aaron Portnoy, the leader of HP TippingPoint’s security research team, said the goal was to create a fair competition for all researchers and research teams and provide cash prizes at a level that matches the market for vulnerabilities.
“We want to make sure the amount of money we’re offering is competitive,” Portnoy said. “If we’re only offering $20,000, a researcher may not feel that is the type of compensation their intellectual property deserves.”
In the past, a drawing was used to randomly select the order the researchers participated in the competition. Under the old rules, a winner would be awarded the cash prize and the target browser or smartphone was immediately taken out of the competition. The revised contest gives all participants a chance to compete for a cash prize, Portnoy said. The first place finisher will be awarded $60,000. Second place winner is awarded $30,000, and the third place winner gets $15,000.
“This is really about keeping the prize amounts at a level that is competitive and the research teams feeling like they're getting something worthwhile for their efforts,” Portnoy said. “Combined with what Google is rewarding, the top team or individual can definitely walk away with a lot of money.”
The Pwn2Own contest is maintained by the HP TippingPoint Zero Day Initiative team, which rewards researchers throughout the year for flaw submissions through its bug bounty program.. TippingPoint acquires the rights to the winning vulnerabilities and exploits, and reports the flaws to the corresponding vendor, giving vendors six months to issue a patch before releasing any information to the public.
Pwn2Own hacking contest criticism
Charlie Miller, an analyst for the Baltimore-based consulting firm Independent Security Evaluators, criticized the competition last year saying it encourages researchers to weaponize exploits. Miller, who has won the competition several times, told ComputerWorld the contest grew to the point where only a few researchers walked away with cash prizes. Meanwhile, contestants who were unable to compete because they drew a bad spot in the random drawing were able to walk away from the competition with working exploits, Miller said.
The contest also has been strained in recent years by new vulnerability rewards programs offered to researchers by other security vendors. In addition, Mozilla and Google run their own bug bounty programs. Microsoft does not support a vulnerability bounty program. The software giant announced a Blue Hat competition at Black Hat 2011 that pays out up to $260,000 in cash to researchers who can develop a technology that prevents attackers from targeting memory safety vulnerabilities.
The Pwn2Own smartphone hacking competition was added in 2010. A problem surfaced last year, when a team of researchers exploited multiple Webkit vulnerabilities in a browser attack against a BlackBerry Torch 9800 smartphone. The Webkit rendering engine is used in the Chrome, Safari and Blackberry browsers. The bugs were fixed by the Webkit development team, but cellphone carriers were slow to push out a security update, leaving some handsets open to attack.
“Vulnerabilities fixed in Webkit today could be used against the iPhone or BlackBerry for months, because it takes a long time to distribute updates through the carriers to the devices,” Portnoy said. “We’re trying to avoid all those issues.”
New point-based system
Under the new rules, a researcher or a research team can compete for the cash prizes by demonstrating a successful attack using a zero-day flaw in the Internet Explorer, Firefox, Safari or Chrome browsers. Researchers will receive 32 points for each successful attack. Unlike previous years, the target browser will not be removed from the contest if someone demonstrates an exploit against it, Portnoy said. This gives more researchers an opportunity to compete, he said.
On-site exploit development
Researchers can also gain points by demonstrating their ability to develop a browser-based exploit using patched vulnerabilities provided by HP TippingPoint. Each contestant will be given a virtual machine and proof-of-concept for two vulnerabilities in each of the four browsers. An exploit written on the first day of the contest is worth 10 points, the second day of the contest an exploit is worth 9 points and 8 points on the third day of the contest.
Google Chrome cash prizes
Search engine giant Google is offering rewards for two classes of vulnerabilities. The company will reward $20,000 for each full, unsandboxed code execution vulnerability that is demonstrated against Chrome. A researcher or research team that demonstrates a partial Chrome hack – executing against a Chrome vulnerability and an operating system flaw – will receive $10,000 for each attack. All other unique exploits against Chrome will be rewarded $10,000.