Pwning for the lulz…and for charity

By the time we turn out the lights on each year’s Pwn2Own competition, the ZDI team feels a little bit like superheroes. After all, we’ve set up a world-class hacking competition, awarded hundreds of thousands of dollars to researchers, taken delivery on exciting zero-day vulnerabilities, and responsibly disclosed them to some of the biggest software companies on earth. But that’s really all in a week’s work for us; it’s what we do. This year, however, we and our friends at Google just might earn the right to some superhero swagger.

 

This year in Vancouver, to kick off the Pwn2Own competition on the 12th, we’re holding a friendly hacking session just for the sponsors – HP’s and Google’s teams. All the products eligible for Pwn2Own are eligible for the sponsors-only session, which we’re calling Pwn4Fun. We’ll start the morning with the drawing to determine the order for Pwn2Own competition. Once that’s done, it’s Google and ZDI bashing away in a flurry of excitement and ownage, with huge amounts of money on the line for…more on that in a second. Spectators for all for the morning’s events very much welcome.

 

Why? Because it’s fun, of course, and to make the Internet safer -- but also to raise money for charity. The researchers participating in the Pwn4Fun session won’t get any of those hundreds of thousands of Pwn2Own dollars for themselves -- no worries, we’ve all got good day jobs – but ZDI and Google will donate 50 percent of what our researchers would have gotten in open competition for the exploit(s) used during Pwn4Fun. (In other words, an exploit against IE or Chrome is worth $50,000 for charity, a Flash exploit is worth $37,500, and so on.) Our jointly agreed-upon charity of choice is the Canadian Red Cross.

 

(Edited To Add: We’ve gotten good questions so far about how we’ll work things out in the event that a ZDI or Google researcher uses the “same” exploit a Pwn2Own contestant has prepped for competition. Our goal for both events is to make sure that every contestant has an equal opportunity to win. To that end, we’ll be carefully analyzing the exploit chains used by contestants during both events and decide what qualifies as a winning entry based on the current contest rules and the totality of the work. The analysis will take into account not only the vulns but the techniques used, which are a standard part of each Pwn2Own entry.)

 

By the time we get to the drawing for Pwn2Own’s competition order on Wednesday at 9:30am, we ZDI folk will have been getting ready for the competition for months. Behind us will lie frantic weeks of preparation and logistics drama; ahead of us will lie jittery researchers, grumpy / defensive / resigned software-company representatives, all the random weirdness that CanSecWest can deliver – and, we hope, the writing of some very, very big checks for fresh zero-day vulnerabilities and exploit techniques.

 

It will definitely be a good moment for some heroic fun. See you there, Google friends; hope to see many of the rest of you as well.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.