If you’re unfamiliar with the Pwn2Own contest, check out the rules and results from last year.
This year’s contest will target two sets of technologies: web browsers and mobile devices. As usual, the ZDI will purchase all winning vulnerabilities that are submitted against these targets, hand them over to the affected vendors, and coordinate public disclosure.
RulesThe browser targets will be IE8, Firefox, and Chrome installed on a Sony Vaio running Windows 7 as well as Safari and Firefox installed on a Macbook running Mac OS X. All browsers will be fully patched and in their default configuration as of the first day of the contest. The mobile device targets will include fully patched BlackBerry, Android, iPhone, Symbian and Windows Mobile phones in their default configurations. A full list of available interfaces will be made available on the CanSecWest website under the Pwn2Own rules.
To participate in the contest, you can choose either or both technologies and must generally prove successful code execution. A contestant may only win one prize per flaw (e.g. if he is able to pwn a browser and a mobile device using the same flaw, he has to choose one to go after). Winning entries against the browsers include exploits which require no user interaction outside of a single click on a malicious link. Winning scenarios against the mobile devices include attacks that can be exploited via email, SMS text, website browsing and other general actions a normal user would take while using the device. Physical access will not be granted to the mobile devices, and proving successful exploitation of one of the mobile devices will be verified by our team of hardware hacker judges on the ground at the event.
PrizesThe Zero Day Initiative will put up $5000 per browser bug, and $10,000 per mobile bug. The first person to crack any of the mobile devices will also get to keep that device along with a one year phone contract. The first person to crack any of the browsers will get to keep the laptop it was running on. All winners will be asked to sign and agree to the general ZDI Non Disclosure Agreement, and the bugs will be turned over directly to the affected vendors.
If more than 5 people win prizes, we will offer additional “Bonus” prizes of an extra $5,000 that will be awarded this year for Most Interesting Browser flaw, Most Interesting Mobile Device Flaw, and Best in Show.
As with the last two years, we will be posting updates and the final results from the contest on our blog. Check back soon!