Plugin exploits can now win Pwn2Own prizes
While last year's Pwn2Own, as before, revolved exclusively around browsers, the organisers from TippingPoint have expanded their target this time: in addition to the usual suspects – Chrome, Internet Explorer, Firefox and Safari – hackers will be able to demonstrate their ability to exploit Adobe's Reader XI and Flash Player, as well as Oracle's Java plugin, using previously undisclosed holes.
Hewlett Packard, which owns security firm TippingPoint, will sponsor the event together with Google. A total of $560,000 has been offered for the discovery of new security holes. The search for vulnerabilities will be most lucrative in Google's Chrome and in Internet Explorer 10: a previously unknown vulnerability in these programs is worth $100,000. Next come IE 9 ($75,000), Adobe Reader XI and Flash ($70,000 each), Safari ($65,000) and Firefox ($60,000). Java is last on the list: the discoverer of a new Java exploit will receive $20,000. In view of the various Java vulnerabilities that have recently been disclosed, security expert Kostya Kortchinsky joked about "ZDI giving out $20k for free".
Winners will also receive ZDI "reward points" sufficient to raise their rewards for future vulnerability submissions to ZDI and get them paid travel and registration to attend 2013 DEFCON in Las Vegas.
The participants are randomly allocated 30 minute time slots. Prizes are awarded to whoever first compromises the target application with a new hole within their time slot. All vulnerability details must then be disclosed to the organisers, who will report them to the product vendors. It was this aspect of the competition that was the subject of a dispute with Google in 2012. Google withdrew its sponsorship that year because there was no guaranteed access to this information. This year, Google is back, providing part of the sponsorship. Pwn2Own 2013 will be held at the CanSecWest conference in Vancouver, Canada, from 6 to 8 March.