Security Research
Showing results for 
Search instead for 
Do you mean 

The world outside the room: Hackers, Pwn2Own, and charity

Angela_Gunn ‎03-14-2014 01:52 PM - edited ‎10-17-2014 12:13 PM

As we all decompress from Pwn2Own 2014, let’s reflect on how odd the whole thing looks from outside that room at the Sheraton. Researchers bring exploits made of highly unpleasant code from which anyone reasonable would steer clear. They show it to ZDI, an organization that brings large amounts of money to buy it. We immediately give it away (yes, free) to affected vendors, who are expected to look on quietly while the researchers break their products…in front of other researchers, who take the launch of calc.exe as proof that something amazing has happened…and then everyone applauds.


And that doesn’t include the inflatable unicorns. (Thanks again, Dragos.)


Of course we aren’t applauding breakage at Pwn2Own; we’re applauding the skill it takes to find it. When ZDI pays big money for vulns and hands them along to the vendors for free, we’re not saying the vulns are worth nothing to us; our payouts are an investment in getting problems contained and fixed.


cat-ownage.jpgSo when ZDI and Google started talking about holding a pre-event hacking session, not only did it sound like fun, but we liked an excuse to hand big bags of money to an organization that also gets problems contained and fixed. The Canadian Red Cross does great work and gave us a chance to give back to the country that has hosted the contest all these years.


The plan came together and the sponsor teams started seeking out possible vulns. Neither team knew what – if anything – we would find that would prove Pwn4Fun-worthy, and to be honest we weren’t sure until a few hours before the contest that both groups were going to deliver. (Remember Patch Tuesday and that IE bulletin? We sure will.) But everything sorted out, and two hours later, we’d collectively racked up $82,500 in donations.

 keen-banner.jpgGiving money to a great cause is a total rush. We received a bonus (secondhand) dose the next day, when Keen Team announced they’d be giving a portion of their winnings to a to-be-determined charity as well. It was a nice gesture that made the longest Pwn2Own in history shine just a little brighter. And to cap the event, Jon Oberheide, who announced last week on Twitter that he’d be running the #cats4fun contest to seek the very finest feline-security photos, pledged a $1,000 donation to the American Society for Prevention of Cruelty to Animals for this fine image. (Thanks!)


As weird as some of us may seem, white-hat security researchers do live in the real world – and though we can’t fix all the world’s problems, we sure wish we could. Events like Pwn2Own let us have fun while we try. Adding charitable donation opportunities to the mix turned out to be a great way of extending the goodness, and of making the values we hold more visible outside our little room.



About the Author


Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
January 2016
Software Expert Days - 2016
Join us online to talk directly with our Software experts during the online Expert Days - see details below. Software experts do not monitor this foru...
Read more
See board event postings
Vivit Events - 2016
Learn about upcoming Vivit webinars and live events in 2016.
Read more
View all