Security Research
Showing results for 
Search instead for 
Do you mean 

Pwning for the lulz…and for charity

Angela_Gunn ‎03-04-2014 08:48 AM - edited ‎03-04-2014 04:42 PM

By the time we turn out the lights on each year’s Pwn2Own competition, the ZDI team feels a little bit like superheroes. After all, we’ve set up a world-class hacking competition, awarded hundreds of thousands of dollars to researchers, taken delivery on exciting zero-day vulnerabilities, and responsibly disclosed them to some of the biggest software companies on earth. But that’s really all in a week’s work for us; it’s what we do. This year, however, we and our friends at Google just might earn the right to some superhero swagger.


This year in Vancouver, to kick off the Pwn2Own competition on the 12th, we’re holding a friendly hacking session just for the sponsors – HP’s and Google’s teams. All the products eligible for Pwn2Own are eligible for the sponsors-only session, which we’re calling Pwn4Fun. We’ll start the morning with the drawing to determine the order for Pwn2Own competition. Once that’s done, it’s Google and ZDI bashing away in a flurry of excitement and ownage, with huge amounts of money on the line for…more on that in a second. Spectators for all for the morning’s events very much welcome.


Why? Because it’s fun, of course, and to make the Internet safer -- but also to raise money for charity. The researchers participating in the Pwn4Fun session won’t get any of those hundreds of thousands of Pwn2Own dollars for themselves -- no worries, we’ve all got good day jobs – but ZDI and Google will donate 50 percent of what our researchers would have gotten in open competition for the exploit(s) used during Pwn4Fun. (In other words, an exploit against IE or Chrome is worth $50,000 for charity, a Flash exploit is worth $37,500, and so on.) Our jointly agreed-upon charity of choice is the Canadian Red Cross.


(Edited To Add: We’ve gotten good questions so far about how we’ll work things out in the event that a ZDI or Google researcher uses the “same” exploit a Pwn2Own contestant has prepped for competition. Our goal for both events is to make sure that every contestant has an equal opportunity to win. To that end, we’ll be carefully analyzing the exploit chains used by contestants during both events and decide what qualifies as a winning entry based on the current contest rules and the totality of the work. The analysis will take into account not only the vulns but the techniques used, which are a standard part of each Pwn2Own entry.)


By the time we get to the drawing for Pwn2Own’s competition order on Wednesday at 9:30am, we ZDI folk will have been getting ready for the competition for months. Behind us will lie frantic weeks of preparation and logistics drama; ahead of us will lie jittery researchers, grumpy / defensive / resigned software-company representatives, all the random weirdness that CanSecWest can deliver – and, we hope, the writing of some very, very big checks for fresh zero-day vulnerabilities and exploit techniques.


It will definitely be a good moment for some heroic fun. See you there, Google friends; hope to see many of the rest of you as well.

0 Kudos
About the Author


27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all