Fact-checked by Grok 2 weeks ago

Pwn2Own

Pwn2Own is a series of ethical hacking competitions organized by Trend Micro's Zero Day Initiative (ZDI), where participants demonstrate zero-day exploits against targeted commercial software, hardware, and systems to claim cash prizes and ownership of the compromised devices.^[1]^[2] Launched in April 2007 at the CanSecWest conference in Vancouver, Canada, the event originated as a demonstration of browser and operating system vulnerabilities but has evolved into multiple annual editions across global locations, including specialized contests for automotive, industrial control systems, and artificial intelligence infrastructure.^[2]^[3] The competitions emphasize real-world exploit chains, requiring contestants to achieve remote code execution or privilege escalation under constrained conditions, with successful demonstrations leading to responsible disclosure of vulnerabilities to affected vendors for remediation.^[1] Over nearly two decades, Pwn2Own has facilitated the identification of hundreds of zero-day bugs, awarding tens of millions in total prizes—such as $792,750 across 56 exploits in a single 2025 event—and driving patches that mitigate risks in widely deployed technologies like web browsers, mobile platforms, and connected vehicles.^[4]^[5] Landmark achievements include inaugural hacks of enterprise targets in 2019, the introduction of an AI hacking category in 2025, and escalating prize pools that reflect the rising value of undisclosed flaws in complex ecosystems.^[2]^[3] By incentivizing elite researchers through high-stakes challenges, Pwn2Own serves as a benchmark for cybersecurity resilience, exposing gaps in secure development practices while enabling vendors to prioritize fixes before public exploitation occurs.^[1]^[6] The format's focus on verifiable, high-impact exploits has influenced industry standards, though it consistently reveals vulnerabilities in even hardened systems, underscoring the ongoing arms race between defenders and potential adversaries.^[6]^[7]

Origins and Early Development

Inception and Founding Principles

Pwn2Own originated in April 2007 as an annual computer hacking contest held during the CanSecWest security conference in Vancouver, Canada.^[1] It was initiated by Dragos Ruiu, the founder and organizer of CanSecWest, to empirically test claims of software invulnerability through live demonstrations of zero-day exploits.^[8] At the time, Apple's marketing campaigns, including the "I'm a Mac" advertisements, emphasized the superior security of Mac OS X over other operating systems, prompting Ruiu to create a structured competition that would incentivize researchers to uncover and demonstrate undisclosed vulnerabilities in real-world targets.^[8] The founding principles centered on fostering rigorous, incentive-driven security research by awarding cash prizes to the first successful exploiters of specified targets, such as web browsers and operating systems, while ensuring responsible disclosure of findings to vendors.^[1] This approach prioritized causal demonstration of flaws over theoretical discussion, aiming to highlight systemic insecurities in commercial products and compel manufacturers to address them promptly.^[9] Unlike informal hacking challenges, Pwn2Own enforced strict rules requiring remote, zero-interaction exploits to simulate realistic attack vectors, thereby providing verifiable evidence of potential real-world risks without relying on unproven assertions.^[1] From its inception, the contest emphasized empirical validation over vendor self-assessments, with prizes funded initially by sponsors and later coordinated through partnerships that supported coordinated vulnerability disclosure.^[8] This model sought to bridge the gap between security researchers and industry, promoting transparency in vulnerability assessment while avoiding immediate public exploitation that could enable widespread abuse.^[1] By 2009, operational management shifted to the Zero Day Initiative (ZDI), a program under Trend Micro, which formalized prize structures and disclosure processes to sustain the event's growth without altering its core focus on high-stakes, proof-of-concept hacking.^[1]

Initial Events and Growth (2007–2010)

The inaugural Pwn2Own contest took place in April 2007 at the CanSecWest security conference in Vancouver, Canada, organized by vulnerability researcher Dragos Ruiu as a demonstration of real-world exploit capabilities against fully patched systems.^[10] Participants targeted web browsers on provided laptops, with the primary focus on Apple's Safari running on a MacBook Pro; the first successful exploit, chaining multiple zero-day vulnerabilities, was achieved in approximately five hours, earning the winner the device itself plus a cash prize of around $10,000.^[11] No exploits succeeded against other browsers like Internet Explorer or Firefox during the event, underscoring early disparities in browser security postures at the time.^[2] The 2008 edition, held March 27–28 in Vancouver, marked the second annual event and expanded targets to include additional operating systems and applications such as mail clients.^[12] Charlie Miller demonstrated the first hack by exploiting a MacBook Air via a QuickTime vulnerability in under two minutes after initial rules were adjusted to allow physical access for preparation, securing a $20,000 prize and the device.^[13] Subsequent days featured browser challenges, with successes against Internet Explorer but failures for others, reflecting growing researcher interest and the contest's role in highlighting persistent zero-day risks in consumer software.^[14] Total prizes remained modest, averaging $10,000–$20,000 per category, but the event drew more international participants, establishing Pwn2Own as a benchmark for exploit development.^[8] In 2009, conducted again at CanSecWest in Vancouver, the contest intensified focus on major browsers including Internet Explorer 8, Firefox, and Safari, with prizes set at $15,000 per successful demonstration on fully patched systems.^[15] German researcher Nils Juenemann achieved a rare triple crown by hacking all three browsers in sequence using undisclosed zero-days, collecting $45,000 total and retaining the exploited devices; his exploits involved remote code execution without user interaction, exposing weaknesses in rendering engines and memory management.^[15] Apple systems fell rapidly again, reinforcing patterns of vulnerability in Safari, while the event's structure—requiring pre-registration of exploit intent—began formalizing through coordination with the Zero Day Initiative (ZDI), which facilitated responsible disclosure to vendors post-contest.^[16] Participation grew, with heightened media coverage signaling Pwn2Own's emergence as a key arena for validating security claims by vendors.^[1] By 2010, the contest evolved further at CanSecWest, incorporating mobile devices for the first time alongside browsers and operating systems, with iPhone exploits marking a milestone in targeting emerging platforms.^[17] Ralf-Philipp Weinmann successfully hacked an iPhone via a remote SMS-based vulnerability, earning the device and cash prize, while browser hacks continued against Safari, Firefox, and Internet Explorer, demonstrating that no major platform remained uncompromised under contest conditions.^[18] Prizes scaled slightly upward, maintaining $15,000–$20,000 per category, but total payouts increased due to more successful entries, reflecting broader researcher engagement and ZDI's growing role in acquiring and coordinating zero-day disclosures for patching.^[19] The event's expansion highlighted accelerating growth in exploit sophistication and the contest's value in driving vendor incentives for defense, though it also revealed systemic challenges in pre-release vulnerability detection across ecosystems.^[1]

Evolution and Modern Format

Expansion to Multiple Categories and Locations

Initially focused on web browsers and operating systems at its Vancouver inception, Pwn2Own broadened its scope to encompass mobile devices starting with the first dedicated Mobile Pwn2Own event held in Tokyo, Japan, in November 2013, targeting platforms like iOS and Android.^[20] This addition reflected growing concerns over smartphone vulnerabilities, with contestants demonstrating remote code execution exploits on devices such as the Samsung Galaxy and Apple iPhone.^[20] Subsequent years saw further category diversification, including the introduction of an Internet of Things (IoT) segment in 2018 at Pwn2Own Tokyo, where participants targeted connected devices beyond traditional computing endpoints to highlight risks in smart home and networked gadgets.^[21] In 2019, the automotive category debuted at the Vancouver event, challenging hackers to compromise vehicle systems like Tesla's infotainment interfaces, marking an entry into physical infrastructure security.^[2] By 2020, a specialized Industrial Control Systems (ICS) variant emerged, focusing on operational technology in sectors like energy and manufacturing, with dedicated events to address supervisory control and data acquisition (SCADA) weaknesses.^[22] Geographic expansion paralleled these thematic growths, shifting from annual Vancouver exclusivity to international venues beginning with Tokyo for mobile-focused contests in 2013 and continuing with PacSec-hosted events there through the 2010s.^[20] The 2021 Austin, Texas, edition incorporated hybrid in-person and virtual formats amid pandemic constraints, introducing categories like printers and network-attached storage (NAS) devices.^[23] Toronto hosted consumer-oriented iterations from 2022 onward, featuring small office/home office (SOHO) routers and surveillance systems.^[24] Recent developments include enterprise events in Berlin, Germany, in May 2025 with a pioneering AI infrastructure category targeting machine learning models and frameworks, and Cork, Ireland, in October 2025 emphasizing messaging apps like WhatsApp alongside traditional targets.^[3] Automotive editions remain anchored in Tokyo, expanding in 2025 to include electric vehicle chargers from vendors like Tesla and Alpitronic.^[25] These multi-location formats, now numbering several annually across continents, enable broader researcher participation and vendor-specific challenges while maintaining the core zero-day disclosure model.^[1]

Rule Changes and Scaling (2011–2022)

In 2012, Pwn2Own transitioned from sequential individual attempts to a capture-the-flag format incorporating a point system, enabling teams to accumulate points based on the complexity and success of exploits against targets such as Internet Explorer, Firefox, Safari, and Chrome, with prizes tiered at $60,000 for first place, $30,000 for second, and $15,000 for third.^[1] This shift facilitated broader participation and competition dynamics, departing from prior single-exploit focus. Concurrently, a mobile-only variant launched in Amsterdam emphasized smartphone hacking under specialized rules, awarding $60,000 in prizes.^[1] Subsequent refinements elevated exploit rigor; in 2015, Windows targets mandated circumvention of Enhanced Mitigation Experience Toolkit (EMET) and Endpoint Protection Manager (EPM) defenses to claim awards.^[1] By 2016, organizers introduced the "Master of Pwn" title for the highest-scoring team, alongside $460,000 in total awards for 21 zero-day demonstrations.^[1] In 2017, rules added penalties via negative points for withdrawn attempts, aiming to discourage speculative entries, while the 10th anniversary event distributed $833,000 across 51 zero-days.^[1] Event scaling accelerated through category diversification and geographic expansion. Plug-in vulnerabilities joined core browser targets in 2013, with prize pools reaching $560,000 and $320,000 awarded; the Tokyo mobile edition that year incorporated Bluetooth, Wi-Fi, and USB attack vectors, yielding $117,500.^[1] Prizes escalated, nearing $1 million by 2014, when all seven targeted mobile devices in Tokyo fell to exploits.^[1] Internet of Things (IoT) categories debuted in 2018, followed by automotive targets like the Tesla Model 3 in 2019 ($545,000 awarded in Vancouver), industrial control systems (ICS) in Miami 2020 ($280,000), and enterprise communications in 2021 ($1.2 million in Vancouver).^[1] By 2022, multiple annual events became standard, including Vancouver ($1.155 million awarded), Miami ($400,000 for ICS), and Toronto—the largest to date with 66 entries from 36 teams across 13 categories, disbursing $989,750.^[1] Overall prize scales grew from $60,000 total in 2011 to multimillion-dollar aggregates, reflecting heightened vendor sponsorships and vulnerability disclosures, while international venues like Tokyo sustained specialized mobile and automotive focus.^[1]

Recent Events and Innovations (2023–2025)

In 2023, Pwn2Own Vancouver, held in March, saw participants demonstrate 27 unique zero-day vulnerabilities across categories including browsers, operating systems, and hypervisors, earning $1,035,000 in prizes along with a Tesla Model 3 vehicle for a successful automotive exploit.^[26]^[27] Later that year, Pwn2Own Toronto in October resulted in 58 zero-days targeting devices such as smartphones, cameras, and printers, with total awards exceeding $1 million USD.^[28]^[26] These events highlighted growing emphasis on Internet of Things (IoT) and mobile targets, with multiple successful hacks on Samsung Galaxy S23 devices reported.^[29] The 2024 schedule expanded geographically and thematically, beginning with Pwn2Own Automotive in January, which focused exclusively on connected vehicle vulnerabilities, awarding prizes for exploits against electric vehicle chargers and infotainment systems.^[30] Pwn2Own Vancouver followed in March, distributing $1.1 million for demonstrations including Tesla vehicle hacks, operating system compromises, and software exploits.^[31] Pwn2Own Ireland in October marked the debut of a European flagship event outside traditional venues, yielding over $1 million in bounties for 38 successful attacks on cameras, printers, network-attached storage (NAS) devices, smart speakers, and smartphones, uncovering more than 70 zero-days.^[32]^[33] This iteration introduced refined rules for remote code execution in enterprise environments, enhancing focus on real-world attack vectors.^[34] By 2025, innovations included the introduction of an artificial intelligence (AI) hacking category at Pwn2Own Berlin in May, an enterprise-oriented event targeting web browsers, operating systems, and AI models, where participants earned over $1 million for exploits, with STAR Labs SG claiming Master of Pwn honors.^[3]^[35] Pwn2Own Automotive returned in January with expanded targets like EV chargers under the Open Charge Point Protocol (OCPP), resulting in 49 zero-days and a new Master of Pwn, Sina Kheirkhah.^[36] Pwn2Own Ireland in October concluded the primary annual cycle, awarding $1,024,750 for 73 zero-days across similar categories, demonstrating sustained scaling in prize pools and vulnerability disclosures amid increasing participation from international teams.^[37] These developments reflect Zero Day Initiative's strategy to broaden scope into emerging technologies like AI and automotive ecosystems, prioritizing verifiable zero-day discoveries for vendor patching.^[4]^[1]

Contest Mechanics

Structure and Competition Rules

Pwn2Own operates as a live, invite-only hacking competition organized by Trend Micro's Zero Day Initiative (ZDI), typically spanning three to four days at security conferences or dedicated venues. Contestants register in advance via email to [email protected], requiring a ZDI researcher account, completion of a registration questionnaire, and submission of case entry forms for each targeted product.^[38] Events feature predefined categories such as web browsers, mobile devices, automotive systems, and emerging areas like AI models, with specific targets (e.g., latest versions of Chrome, Safari, or Tesla vehicles) announced prior to the contest.^[3] The format employs a capture-the-flag style since 2012, where participants compete sequentially to exploit vulnerabilities, earning points for successes rather than solely racing to be first.^[1] Eligibility restricts participation to individuals or teams of legal adult age, excluding employees of Trend Micro, event sponsors, or targeted vendors, as well as residents of U.S.-embargoed countries or those on denied persons lists.^[39] Public sector employees must confirm compliance with ethics rules. Each contestant or team registers once, with one entry per target but multiple possible across categories. Attempts proceed in a randomized order determined by draw at the event's start, ensuring fairness; contestants may only target each product once across the contest.^[38] Successful exploits must leverage previously unknown, undisclosed vulnerabilities, with no reuse of flaws in subsequent attempts or categories. During attempts, participants have up to 30 minutes total, including three 10-minute slots, to demonstrate a full exploit chain under strict conditions: no user interaction beyond initial application launch, fully automated execution, and targets configured in default, fully patched states.^[39] Success requires achieving arbitrary code execution, privilege escalation, or sensitive data exfiltration while bypassing mitigations like address space layout randomization (ASLR), data execution prevention (DEP), and sandboxing where applicable. Judges verify novelty and reliability on-site, disqualifying exploits reliant on known issues or non-remote vectors unless specified (e.g., zero-click for certain mobile categories). Post-success, contestants submit a whitepaper and proof-of-concept to ZDI, which purchases the vulnerabilities and coordinates responsible disclosure to vendors, typically granting 90 days for patching before public release.^[38] Prizes combine cash awards per target—ranging from $20,000 to $500,000 based on complexity—and a points system for overall ranking, with the highest scorer crowned "Master of Pwn" and awarded 65,000 ZDI reward points (valued at approximately $25,000).^[39] Points vary by category difficulty (e.g., 10–50 per exploit), accumulated across days, and may include bonuses for add-on challenges like defeating additional security layers. Unclaimed prizes in a category can roll over or redistribute, incentivizing broader participation. ZDI retains rights to demonstrated exploits, ensuring ethical handling, while contestants waive claims to devices "pwned" during the event.^[3]

Target Categories and Devices

Pwn2Own contests designate target categories comprising specific commercial devices, software applications, and systems, chosen for their market significance and potential attack surface. Successful attempts generally require demonstrating arbitrary code execution, privilege escalation, or data exfiltration while bypassing protections like address space layout randomization (ASLR), data execution prevention (DEP), and sandboxing, often via remote network vectors without user interaction beyond device setup.^[38] Categories adapt to technological shifts, incorporating traditional endpoints alongside specialized domains such as industrial controls and artificial intelligence infrastructure.^[1] Web browsers represent a foundational category, targeting rendering engines, sandbox escapes, and kernel escalations in products like Google Chrome, Microsoft Edge, Apple Safari, and Mozilla Firefox, with additional premiums for hypervisor escapes in virtualized environments.^[3] Mobile platforms focus on flagship smartphones, including the Samsung Galaxy S25, Google Pixel 9 series, and Apple iPhone 16, where exploits must achieve system-level access remotely via browser, radio, or messaging without biometric manipulation.^[38] Operating systems such as Microsoft Windows 11, Apple macOS, and Red Hat Enterprise Linux are tested for local privilege escalations exploiting kernel vulnerabilities.^[3] Enterprise and server categories emphasize virtualization hypervisors like VMware ESXi, Microsoft Hyper-V, and Oracle VirtualBox; container runtimes including Docker and gRPC frameworks; and applications such as Microsoft Exchange, Remote Desktop Services (RDP), Adobe Reader, and Office 365 suites (Word, Excel, PowerPoint).^[3] Network-attached storage (NAS) devices, including Synology DiskStation DS925+, BeeStation Plus, ActiveProtect DP320, and QNAP TS-453E, are targeted for remote code execution over network or radio interfaces using default configurations.^[38] Printers like HP DeskJet 2855e, Lexmark CX532adwe, Canon imageCLASS MF654Cdw, and Brother MFC-J1010DW face network-based attacks on exposed services.^[38] Surveillance and smart home systems include cameras such as Synology CC400W, Ubiquiti AI Pro, and Wyze Cam Pan v3; hubs like Philips Hue Bridge and Home Assistant Green; and speakers including Sonos Era 300 and Amazon Echo Show 15, with exploits pivoting via small office/home office (SOHO) routers like QNAP Qhora-322.^[38] Messaging applications, notably WhatsApp on Android, iOS, and Meta Quest VR headsets, demand zero-click or one-click remote compromises.^[38] Wearables target devices like Ray-Ban Meta Smart Glasses and Meta Quest 3/3S for proximity or local escalations.^[38] Automotive categories feature in-vehicle infotainment (IVI) units such as Sony XAV-AX8500, Alpine iLX-507, Pioneer DMH-WT7600NEX, and Kenwood DMX958XR; electric vehicle (EV) chargers including ChargePoint Home Flex, Phoenix Contact CHARX SEC-3150, and Tesla Wall Connector; and vehicle-specific components like Tesla Model 3/Y tuners, modems, gateways, ECUs, and Autopilot systems via CAN bus or Ethernet.^[40] Operating systems in this domain include Automotive Grade Linux, BlackBerry QNX, and Android Automotive OS.^[40] Emerging AI categories introduce six frameworks, such as vector databases, model serving toolkits, and NVIDIA Container Toolkit, requiring host-level code execution from constrained environments like crafted container images.^[3]

Award System and Incentives

The Pwn2Own competitions award cash prizes to participants who successfully demonstrate novel zero-day exploits against specified targets, with amounts determined by the category, exploit complexity, and impact level. Prizes typically range from $20,000 to $200,000 per successful first-round hack, escalating to $1 million for high-stakes challenges such as zero-click remote code execution in applications like WhatsApp. In addition to monetary rewards, winners receive the exploited device itself, valued at approximately $500, and all demonstrated vulnerabilities are responsibly disclosed through the Zero Day Initiative (ZDI) for coordinated patching by vendors.^[38]^[41] A points-based system incentivizes breadth and innovation, assigning values to exploits based on factors like privilege escalation chains and sandbox escapes; the contestant accumulating the most points earns the "Master of Pwn" title and 65,000 ZDI reward points, redeemable at an estimated $25,000 value within ZDI's vulnerability acquisition program. Partial successes, such as incomplete chains or second-round attempts, may yield reduced prizes starting at $5,000, while failed demonstrations receive no award to maintain focus on verifiable, high-impact results. Event prize pools have grown substantially, reaching over $1 million in recent iterations like Pwn2Own Ireland 2025, where $1,024,750 was disbursed for 73 unique zero-days across three days.^[39]^[37] These incentives promote ethical vulnerability research by offering competitive payouts that rival underground markets, channeling discoveries into coordinated disclosure rather than exploitation-for-hire. ZDI's involvement ensures researchers forgo immediate public release or sale to adversaries in exchange for bounties and priority patching, fostering long-term cybersecurity improvements through vendor notifications and empirical validation of defenses. This structure has scaled with event expansion, as seen in specialized contests like Pwn2Own Automotive 2026, which offers over $3 million in prizes to target vehicle systems, underscoring the program's role in prioritizing causal impact over speculative threats.^[1]^[42]

Notable Exploits and Milestones

High-Profile Browser and OS Hacks

At the 2015 Pwn2Own event in Vancouver, all four major web browsers—Microsoft Internet Explorer 11, Google Chrome (stable and beta versions), Mozilla Firefox, and Apple Safari—were compromised within the first two days, marking one of the most comprehensive demonstrations of browser vulnerabilities to date. South Korean security researcher Jung Hoon Lee single-handedly exploited Internet Explorer 11, both Chrome variants, and Safari, chaining zero-day flaws to achieve remote code execution and system compromise, which netted him $225,000 in prizes.^[43] Firefox fell to a separate team using three zero-days for a sandbox escape and privilege escalation.^[44] These hacks exposed weaknesses in browser rendering engines, sandboxing, and underlying OS interactions, prompting rapid patches from vendors including Microsoft, Google, Mozilla, and Apple.^[45] Earlier browser exploits set precedents for such feats; for instance, at the 2009 Pwn2Own, German researcher Nils hacked Internet Explorer 8, Firefox, and Safari using undisclosed zero-days, winning $15,000 and underscoring browsers' susceptibility to targeted attacks even on fully patched systems.^[15] Safari has historically been a frequent early target, with Charlie Miller compromising a MacBook running Safari in under two minutes at the 2008 event via a browser-based exploit chain leading to kernel access.^[46] Operating system hacks have escalated in complexity and stakes, often involving kernel-level privileges. At Pwn2Own Berlin 2025, Microsoft Windows 11 was exploited three times on the first day alone: once for initial system access, and twice more for SYSTEM-level elevation using an out-of-bounds write vulnerability by researcher Marcin Wiązowski and a separate chain by Hyeonjin Yoon.^[47] Red Hat Enterprise Linux, prized for its enterprise hardening, was also breached via zero-days targeting its kernel and virtualization components.^[48] macOS faced similar scrutiny, with a 2023 Pwn2Own Vancouver exploit using a time-of-check-to-time-of-use (TOCTOU) zero-day for privilege escalation, earning $40,000 and highlighting persistent gaps in Apple's security model despite mitigations like System Integrity Protection.^[49]^[50] Windows kernel exploits stand out for their technical demands, frequently chaining user-mode to ring-0 elevation while evading defenses like Kernel Patch Protection. Demonstrations at events like Pwn2Own Vancouver 2023 and 2024 involved streaming service proxies and eBPF verifier bypasses, revealing how attackers proxy user inputs to kernel objects for arbitrary code execution.^[51] These OS-level achievements, often undisclosed until coordinated disclosure via the Zero Day Initiative, have driven mitigations such as enhanced address space layout randomization and control flow integrity in subsequent updates.^[52]

Records in Specialized Categories

In the automotive category, introduced prominently with the first dedicated Pwn2Own Automotive event in 2023 offering over $1 million in prizes across targets like Tesla systems, infotainment, EV chargers, and operating systems, participants have set benchmarks for zero-day discoveries.^[53] The 2024 and 2025 events each yielded 49 unique zero-days, marking the highest number reported in this category to date, with total awards reaching $1,323,750 in 2024 and $886,250 in 2025 for exploits including Tesla infotainment and charger systems.^[1] ^[54] Earlier milestones include the 2019 Vancouver event's focus on Tesla Model 3, where 19 zero-days were demonstrated for $545,000 in prizes.^[1] For industrial control systems (ICS) and operational technology (OT), Pwn2Own events since 2020 have highlighted vulnerabilities in critical infrastructure software. The 2022 Miami contest awarded $400,000 for 26 zero-days across ICS platforms, including a notable exploit by Dutch researchers Daan Keuper and Thijs Alkemade of Computest, who bypassed trusted-application checks in the OPC UA protocol—used in power grids and pipelines—for $40,000 plus the Master of Pwn title, completing the hack in days rather than weeks as in prior challenges.^[55] ^[56] The 2023 Miami event followed with 27 zero-days for $153,500, while the 2020 iteration exceeded $280,000 in prizes for over 24 zero-days, underscoring persistent gaps in ICS security despite vendor patches.^[1] Mobile categories, expanded since 2017 with targets like Samsung Galaxy and iOS devices, have produced high-volume zero-day chains, often simpler than desktop equivalents per participant analyses. The 2023 Toronto mobile event awarded $1,038,500 for 58 zero-days, with Team Viettel claiming Master of Pwn for $180,000; similarly, 2017 Tokyo saw 32 zero-days for $515,000, led by Tencent Keen Security Lab.^[1] ^[57] In IoT-focused subcategories, such as 2019 Tokyo's smart devices (speakers, TVs, routers) yielding 18 zero-days for $315,000 and 2024 Ireland's AI-enabled NAS/cameras contributing to over 70 zero-days across $1 million+ prizes, exploits have emphasized network and firmware weaknesses.^[1] These records reflect scaling complexity and prize incentives, driving disclosures in embedded systems beyond traditional computing.^[1]

Key Vulnerabilities and Their Resolutions

In Pwn2Own competitions, demonstrated zero-day vulnerabilities are responsibly disclosed by the Zero Day Initiative (ZDI) to affected vendors, who typically issue patches within 90 days before public details are released.^[58] This process has led to numerous security updates across browsers, operating systems, and virtualization software, enhancing defenses against remote code execution (RCE), sandbox escapes, and privilege escalations.^[4] For instance, at Pwn2Own Vancouver 2024, researchers exploited CVE-2024-2887 in Google Chrome's V8 JavaScript engine, enabling type confusion and arbitrary read/write primitives for full compromise; Google patched it in Chrome version 124.0.6367.91 on May 2, 2024, with Microsoft following suit for Edge.^[59] VMware products have also seen key resolutions post-Pwn2Own. During Pwn2Own Berlin 2025, four critical vulnerabilities in VMware Workstation and Fusion—collectively earning hackers $340,000—were demonstrated, involving flaws like use-after-free errors leading to code execution; VMware addressed them in security advisory VMSA-2025-0013, released shortly after the event on May 20, 2025, urging users to apply updates to mitigate guest-to-host escape risks.^[60]^[61] Apple Safari exploits have historically prompted rapid fixes, as seen after Pwn2Own 2014 where multiple zero-days enabled RCE chains; Apple patched 27 vulnerabilities in Safari 7.1 on October 22, 2014, including WebKit rendering flaws, to prevent drive-by attacks.^[62] Similarly, in Pwn2Own 2024 events, Chrome zero-days exposed at CanSecWest were fixed in a March 27, 2024, update (version 123.0.6312.106), covering seven flaws such as out-of-bounds access for sandbox bypass.^[63] These resolutions underscore how Pwn2Own drives vendor accountability, though patch efficacy depends on timely user deployment.^[58]

Controversies and Challenges

Vendor Resistance and Disclosure Disputes

Vendors participating in or targeted by Pwn2Own events have demonstrated resistance through proactive hardening measures, such as last-minute patches to specific vulnerabilities ahead of competition attempts, which can invalidate exploits and heighten pressure on researchers. For example, during preparations for Pwn2Own 2021 Austin, teams encountered vendor-induced changes that altered expected attack paths, underscoring how product evolution and pre-event updates serve as defensive strategies against public demonstrations of flaws.^[64] Similarly, over multi-year targeting of the same products, vendors iteratively strengthen defenses in response to prior Pwn2Own successes, as detailed in a three-year research effort on a consumer device where repeated attempts revealed escalating mitigations.^[65] Disclosure disputes frequently emerge post-event when vendors contest the severity or exploitability of vulnerabilities reported via the Zero Day Initiative (ZDI), which coordinates patches within a 90-day window before public release. ZDI has highlighted recurring issues in coordinated vulnerability disclosure (CVD), including vendors downgrading impacts—classifying remote code execution as mere spoofing—despite empirical evidence from Pwn2Own demonstrations, potentially delaying effective fixes and complicating risk assessment for users.^[66] An uptick in failed patches has been observed, where initial vendor responses inadequately resolve the root issue, requiring ZDI's intervention to enforce comprehensive remediation based on verified exploit chains.^[67] High-profile cases illustrate these tensions. In 2010, Google withdrew sponsorship from Pwn2Own citing fundamental disagreements with organizers over optimal methods for maximizing vulnerability fixes, reflecting broader vendor concerns about the contest's disclosure model favoring demonstration over immediate patching.^[68] More recently, at Pwn2Own Ireland 2025, a researcher withdrew a promised $1 million zero-click WhatsApp exploit after partial demonstration, leading to only two low-risk bugs being formally disclosed to Meta; the incident sparked debate over the exploit's claimed capabilities versus verifiable impact, with the researcher asserting private notification to Meta amid questions on technical substance.^[69] Such episodes underscore how Pwn2Own's high-stakes format can amplify scrutiny on disclosure fidelity, though ZDI maintains that its brokered process prioritizes vendor collaboration to mitigate real-world risks.^[6]

Government Interventions and Participant Restrictions

In 2018, the Chinese government enacted regulations effectively barring its cybersecurity researchers from participating in overseas hacking contests, including Pwn2Own, to safeguard national security and retain control over zero-day vulnerabilities.^[70]^[71] These rules required prior approval for international events and mandated that any discovered exploits be reported to state authorities rather than disclosed to foreign vendors.^[72] Prior to the restrictions, Chinese teams had achieved significant success at Pwn2Own, capturing 79% of prizes by 2017 through high-value browser and system hacks.^[73] The policy led to the notable absence of Chinese participants at the 2018 Pwn2Own Vancouver event, resulting in reduced competition scale and fewer high-stakes demonstrations compared to prior years dominated by teams from firms like Qihoo 360 and Alibaba.^[74]^[75] In response, China established domestic equivalents such as the Tianfu Cup, launched in 2018, where winners must disclose vulnerabilities to the government before any patching by vendors, channeling research toward state priorities.^[76]^[77] Beyond participant nationalities, international export controls have indirectly restricted Pwn2Own events. In September 2015, organizers canceled Pwn2Own Mobile in Tokyo, citing Japan's implementation of the Wassenaar Arrangement, a multilateral export control regime that classifies certain hacking tools as dual-use technologies requiring licenses for demonstration or transfer.^[78] This marked an early instance of such regulations disrupting contest logistics, though subsequent events adapted by emphasizing responsible disclosure protocols compliant with varying national laws. No similar broad bans from other governments, such as the United States or European nations, have been documented for their own researchers in Pwn2Own.^[38]

Ethical Debates in Vulnerability Research

Vulnerability research, as exemplified by competitions like Pwn2Own, operates within frameworks emphasizing responsible disclosure, where researchers report flaws to vendors or coordinators like the Zero Day Initiative (ZDI) before public release, allowing time for patches.^[38] This approach, formalized in the 2000s through standards such as CERT Coordination Center's guidelines and later ISO 29147, prioritizes minimizing harm by preventing immediate exploitation while ensuring vendors address issues.^[79] Pwn2Own mandates such coordination, with ZDI handling notifications and embargoing details until remediation, contrasting with earlier adversarial models.^[38] Debates persist between responsible and full disclosure, the latter involving immediate public publication of vulnerabilities and proofs-of-concept to compel rapid vendor action.^[80] Proponents of full disclosure, rooted in 1990s practices via mailing lists like Bugtraq, argue it accelerates patching through market pressure and community scrutiny, as delayed disclosure risks vendor inaction or stockpiling for offensive use.^[81] Critics counter that it enables script kiddies and cybercriminals to weaponize flaws faster than patches deploy, as seen in early 2000s worm outbreaks following public releases.^[79] In Pwn2Own's context, responsible disclosure mitigates these risks but has drawn criticism for granting vendors excessive control over timelines, potentially delaying broader awareness.^[81] Competitions like Pwn2Own highlight ethical tensions around state involvement, particularly with participants from nations where research feeds offensive capabilities. Chinese teams dominated Pwn2Own from 2014 to 2017, securing up to 80% of prizes, before a 2018 government ban on international participation shifted focus to domestic events like the Tianfu Cup.^[77] Regulations requiring zero-day reports to state agencies within 48 hours create dual-use dilemmas, as skills honed in ethical contests pipeline talent to state-sponsored espionage, undermining global trust in shared research.^[82] This raises questions about the morality of open competitions, where ostensibly defensive demonstrations may indirectly bolster adversarial arsenals without researcher consent.^[77] Researchers face personal ethical challenges, including conflicts between financial incentives and public welfare, as high-stakes prizes commodify vulnerabilities into a gig economy prone to burnout and selective targeting.^[79] Pwn2Own rules prohibit prior exploit sales and require public sector participants to verify compliance with ethics codes, yet cases of private pre-disclosure, such as a WhatsApp exploit reported to Meta before competition, illustrate tensions between maximizing rewards and prior obligations.^[38]^[83] Ultimately, these debates underscore vulnerability research's dual nature: advancing secure development while risking proliferation, with Pwn2Own's model favoring coordinated ethics over unfettered transparency.^[81]

Impact on Cybersecurity

Contributions to Secure Development Practices

Pwn2Own, organized by the Zero Day Initiative (ZDI), contributes to secure development by facilitating responsible disclosure of zero-day vulnerabilities demonstrated during contests, providing vendors with detailed exploit information to enable targeted patches.^[84]^[1] Following successful hacks, ZDI grants vendors a 90-day window to develop and release fixes before public advisory publication, which has resulted in numerous security updates for products like browsers and operating systems.^[85]^[86] This process has directly influenced patching timelines, as seen in cases such as Mozilla's rapid response to two Firefox zero-days exploited at Pwn2Own Berlin 2025, leading to immediate security advisories and updates addressing content-process code execution risks.^[87]^[88] Similarly, VMware patched four vulnerabilities disclosed at the same event within weeks, mitigating potential remote code execution in its products.^[61] Over multiple events, Pwn2Own has driven the disclosure of over 70 zero-days in a single contest like Ireland 2024, with all findings channeled to affected parties for remediation, thereby reducing exposure for millions of users.^[33] By publicly demonstrating high-impact exploits, the competition raises awareness of persistent flaws in common vulnerability categories, such as memory corruption and injection issues, compelling developers to prioritize exploitability in their secure coding workflows.^[6]^[89] This exposure has normalized proactive bug hunting and incentivized vendors to integrate practices like fuzzing, static analysis, and memory-safe languages to minimize easily exploitable weaknesses, as evidenced by recurring event outcomes highlighting deficiencies in the software development lifecycle.^[90]^[8] ZDI's model, operational for 20 years as of 2025, underscores financial incentives for researchers to report flaws responsibly rather than sell to black markets, fostering a collaborative ecosystem that enhances overall product hardening.^[91]

Influence on Private Vulnerability Markets

Pwn2Own has established a structured, transparent alternative to clandestine zero-day markets by awarding substantial cash prizes for demonstrated exploits, with total payouts exceeding $1 million in events such as the 2025 Vancouver competition, where $1,155,000 was distributed for 25 zero-days.^[1] Organized by the Zero Day Initiative (ZDI), the contest acquires these vulnerabilities and coordinates responsible disclosure to vendors, prioritizing patching over prolonged secrecy, which contrasts with private brokers like Zerodium that purchase exploits for non-disclosure to maintain their offensive utility.^[92] This model incentivizes researchers to pursue ethical avenues, potentially diverting talent from opaque trading where exploits fetch higher prices—up to millions for high-impact zero-days—but risk enabling unchecked weaponization.^[92] The contest's public demonstration and subsequent vendor notifications accelerate patching cycles, diminishing the exclusivity and resale value of similar undisclosed vulnerabilities in private markets, as evidenced by rapid exploit reuse campaigns targeting Pwn2Own-disclosed flaws before full mitigation.^[93] By showcasing exploit feasibility under timed conditions, Pwn2Own raises awareness of vulnerability pricing dynamics, influencing bug bounty programs to offer competitive rewards; for instance, it has paved the way for platforms like HackerOne, where payouts for critical flaws now often reach tens of thousands, mirroring the contest's emphasis on high-stakes, verifiable hacks.^[8] However, top-tier researchers may still favor private brokers for premium targets, as Pwn2Own's disclosure requirement limits applicability to exploits intended for secrecy-driven sales.^[94] Overall, Pwn2Own exerts downward pressure on private market premiums by legitimizing high-reward disclosure, fostering a shift toward defensive use of zero-days while highlighting the trade-offs between immediate payouts and long-term cybersecurity gains.^[95] This has prompted some governments to restrict participation, as seen in China's 2018 ban on international contests to retain domestic control over researcher outputs, underscoring the contest's role in reshaping global vulnerability economics.^[77]

Criticisms of Effectiveness and Rapid Reuse Risks

Critics contend that Pwn2Own's vulnerability disclosure process, while accelerating patches for demonstrated flaws, fails to prevent rapid weaponization by adversaries, as evidenced by exploits transitioning from contest stages to widespread attacks within months. The ToolShell exploit chain, demonstrated at Pwn2Own Berlin in May 2025 by researcher Dinh Ho Anh Khoa for a $100,000 prize, targeted Microsoft SharePoint servers via unauthenticated deserialization (CVE-2025-53770) and other flaws. By July 7, 2025, it was exploited in the wild, compromising over 400 networks including U.S. government agencies, with attackers deploying ransomware variants like 4L4MD4R and Warlock; Microsoft's initial patch on July 8 proved insufficient against ongoing campaigns by groups such as Linen Typhoon.^[96]^[97] This case illustrates reuse risks, where coordinated disclosure through the Zero Day Initiative delays public details but does not deter monitoring by state actors or criminals who reverse-engineer or leak techniques post-event.^[98] The RondoDox botnet further exemplifies these limitations, emerging in June 2025 and exploiting over 50 vulnerabilities across 30 vendors, including Pwn2Own-identified issues like CVE-2023-1389 in TP-Link routers—patched in 2023 but reused via persistent n-day attacks. Employing an "exploit shotgun" tactic bundling Mirai and Morte malware, the campaign targeted unpatched routers, DVRs, and NVRs for rapid botnet expansion, aided by AI-driven scanning.^[93] Such rapid repurposing narrows the gap between research disclosure and mass exploitation, particularly when patch adoption lags, questioning Pwn2Own's net contribution to security amid slow vendor mitigation.^[99] Broader critiques highlight Pwn2Own's inability to enforce systemic improvements, as repeated discoveries of similar flaw types—such as buffer overflows and authentication bypasses—signal ongoing deficiencies in secure development practices among vendors. Despite annual events unearthing dozens of zero-days, the persistence of exploitable chains in products like SharePoint and routers suggests that incentives for short-term fixes do not translate to robust, proactive defenses, potentially fueling an arms race where adversaries adapt faster than ecosystems harden.^[6] This dynamic underscores risks from public demonstrations, where techniques may inform attacker playbooks even under embargo, eroding the competition's preventive efficacy without complementary mandates for accelerated patching and deployment.^[93]

References

[1]
Pwn2Own Hacking Competition 2025 Review | Trend Micro (US)
Jan 22, 2025 · More than just a competition, Pwn2Own is a proving ground for innovation and a powerful reminder of the high stakes in security.
[2]
Pwn2Own Vancouver 2019: Tesla, VMware, Microsoft, and More
Jan 14, 2019 · Starting in 2007, Pwn2Own has evolved from a small demonstration with prizes averaging around $10,000 per exploit, to one of the most ...
[3]
Announcing Pwn2Own Berlin and Introducing an AI Category
Feb 24, 2025 · We are happy to announce that the enterprise-focused Pwn2Own event will take place on May 15-17, 2025, at the OffensiveCon conference in Berlin, Germany.
[4]
https://www.zerodayinitiative.com/blog/2025/10/23/pwn2own-ireland-2025-day-three-and-master-of-pwn
[5]
Pwn2Own Automotive 2025 - VicOne
The world's largest zero-day vulnerability discovery contest focused on connected cars and software-defined vehicles (SDVs).
[6]
https://www.darkreading.com/vulnerabilities-threats/pwn2own-underscores-secure-development-concerns
[7]
Pwn2Own Berlin 2025: Trend's AI Capabilities Featured - Trend Micro
May 13, 2025 · Trend Micro's Pwn2Own Berlin 2025 is breaking new ground, focusing on AI infrastructure and finding the bugs to proactively safeguard the future of computing.<|control11|><|separator|>
[8]
How Pwn2Own Made Bug Hunting a Real Sport - Dark Reading
May 18, 2022 · In April 2007, when Apple's “I'm a Mac” ads were telling people that Macs can't get hacked, security researcher Dragos Ruiu decided to put ...
[9]
CanSecWest Founder Dragos Ruiu Talks Pwn2Own, Hacker Culture
Mar 8, 2013 · CanSecWest organizer and security industry “dinosaur” Dragos Ruiu explains why Pwn2Own was created and shares his thoughts on the evolution of ...
[10]
Hacking Competition Pwn2Own Tries to Break Into a Tesla
May 20, 2022 · Originally created by cybersecurity researcher Dragos Ruiu in 2007 as a challenge to hack into MacBook Pros, the contest is now held multiple ...<|separator|>
[11]
pwn2own day one: Safari, IE8 fall, Chrome unchallenged
Mar 9, 2011 · The days of overnight hacks may be behind us—at the first pwn2own in 2007, an exploitable Safari flaw was discovered in five hours and a ...
[12]
Gone in 2 minutes: Mac gets hacked first in contest - InfoWorld
Mar 27, 2008 · CanSecWest's PWN 2 OWN contest was won in 2 minutes -- after the rules were relaxed a bit -- as Charlie Miller hacked a MacBook Air.
[13]
Mac is the first to fall in Pwn2Own hack contest - The Register
Mar 28, 2008 · Winners were eligible for a $20,000 prize. On day two, the attack surface was expanded to include browsers, mail applications and other ...Missing: results | Show results with:results
[14]
The Battle for the [Browser] Your PC - Microsoft
Apr 28, 2008 · The battle for the browser was thrust into the limelight (again) this year by Shane Macaulay at CanSecWest when on Day 3 of the pwn2own ... 2008 ...<|separator|>
[15]
Pwn2Own 2009: Nils takes down IE8, Firefox and Safari | Apple
Mar 19, 2009 · A German computer science student has hacked the three main browsers, winning $15,000, showing that none of them is completely safe.Missing: summary | Show results with:summary
[16]
Pwn2Own 2009: Mac falls in seconds | Apple | The Guardian
Mar 18, 2009 · In the annual Pwn2Own at the CanSecWest security conference in Vancouver, fully patched machines are set up, and you can win one by being first ...Missing: summary | Show results with:summary
[17]
Web browsers and iPhone hacked at contest - Phys.org
Mar 26, 2010 · The Pwn2Own contest is an annual event that encourages security specialists to win hardware by successfully attacking it. Hackers register the ...
[18]
[PDF] SpiKey
Aug 25, 2020 · Pwn2Own continued to grow as well. 2010 saw Pwn2Own's first successful mobile device exploit, demonstrated by Ralf-Philipp Weinmann and ...
[19]
Security Lessons Learned from Pwn2Own Contest | PCWorld
Mar 25, 2010 · The Pwn2Own contest demonstrates that dedicated attackers can compromise any platform.<|separator|>
[20]
Samsung Galaxy, Apple iOS Fall in Pwn2Own Hacking Contest
Nov 13, 2013 · Hewlett-Packard's Zero Day Initiative (ZDI) is hosting its first mobile Pwn2Own hacking competition in Japan this week, and both the Google ...
[21]
Announcing Pwn2Own Tokyo for 2018 - Zero Day Initiative
Sep 4, 2018 · Pwn2Own Tokyo will take place on November 13 – 14 during the PacSec conference, which is held at the Aoyama St. Grace Cathedral in Tokyo, Japan.<|separator|>
[22]
Master of Pwn – Darknet Diaries
[MUSIC] Since 2007, the Pwn2Own contest has been going on every year at CanSecWest. DUSTIN: Yes, from that point it became an annual thing and it grew. ...Missing: details | Show results with:details
[23]
Pwn2Own Austin 2021: Phones, Printers, NAS, and more!
Aug 12, 2021 · ... expanding the router category and implementing the printer category. In all, we'll have 22 devices available as targets and be offering more ...
[24]
Announcing Pwn2Own Toronto 2022 and Introducing the SOHO ...
Aug 29, 2022 · We wanted to demonstrate this during the contest, so we're introducing the SOHO Smashup category to show how this could happen. Contestants will ...
[25]
Pwn2Own Automotive Returns to Tokyo with Expanded Chargers ...
Oct 16, 2025 · This year, we're introducing a new supercharger category and Alpitronic has joined as a partner and provided their Level 3 charger as a target.
[26]
Hackers earn over $1 million for 58 zero-days at Pwn2Own Toronto
Oct 27, 2023 · In March, during the Pwn2Own Vancouver 2023 competition, competitors won $1,035,000 and a Tesla Model 3 car for 27 zero-day (and several bug ...Missing: innovations | Show results with:innovations
[27]
Pwn2Own Vancouver 2023 awarded $1,035,000 for 27 0-days
Mar 25, 2023 · On the third day of the Pwn2Own Vancouver 2023 hacking contest, the organization awarded $185,000 for 10 zero-day exploits.Missing: events innovations
[28]
Hackers Earn Over $1 Million at Pwn2Own Toronto 2023
Oct 30, 2023 · Hackers have demonstrated 58 zero-days and earned more than $1 million in rewards at Pwn2Own Toronto 2023.
[29]
Samsung Galaxy S23 hacked two more times at Pwn2Own Toronto
Oct 25, 2023 · Security researchers hacked the Samsung Galaxy S23 smartphone two more times on the second day of the Pwn2Own 2023 hacking competition in Toronto, Canada.
[30]
Pwn2Own Automotive 2024: VicOne and ZDI Lead First Hackathon ...
Jan 31, 2024 · The event was dedicated to discovering and fixing digital security vulnerabilities of connected cars to protect the cybersecurity of vehicles.<|separator|>
[31]
Tesla, OS, Software Exploits Earn Hackers $1.1 Million at Pwn2Own ...
Mar 22, 2024 · Exploits targeting Tesla cars, operating systems, and popular software earned participants over $1.1 million at Pwn2Own Vancouver 2024.
[32]
Over $1 Million Paid Out at Pwn2Own Ireland 2024 - SecurityWeek
Oct 25, 2024 · Pwn2Own Ireland 2024 participants have earned over $1 million for camera, printer, NAS device, smart speaker and smartphone exploits.
[33]
Researchers Discover Over 70 Zero-Day Bugs at Pwn2Own Ireland
Oct 28, 2024 · Trend Micro's Zero Day Initiative hands out over $1m in awards for Pwn2Own competitors, who found more than 70 zero-day flaws.Missing: innovations | Show results with:innovations
[34]
Pwn2Own Ireland 2024: Day Two Results
Oct 23, 2024 · That's a wrap on Day 2 of Pwn2Own Ireland! Today, we awarded $358,625 - which brings the event total to $874,875. The Viettel Cyber Security ...
[35]
Hackers Earn Over $1 Million at Pwn2Own Berlin 2025 - SecurityWeek
May 19, 2025 · This was the first Pwn2Own to include the AI category. The biggest single reward, $150,000, went to the STAR Labs SG team for the first ...
[36]
Pwn2Own Automotive 2025: New Master of Pwn Crowned ... - VicOne
Jan 24, 2025 · 49 zero-day vulnerabilities were found, Sina Kheirkhah was crowned Master of Pwn, and Evan Grant exploited Kenwood DMX958XR. Day three included ...
[37]
https://www.bleepingcomputer.com/news/security/hackers-earn-1-024-750-for-73-zero-days-at-pwn2own-ireland/
[38]
Pwn2Own Ireland 2025 Rules - Zero Day Initiative
THE PWN2OWNTM CONTEST ("CONTEST") IS CONDUCTED SOLELY IN ACCORDANCE WITH AND SHALL BE CONSTRUED AND EVALUATED ACCORDING TO APPLICABLE LAW.
[39]
1. eligibility. - Zero Day Initiative
The contestant can register for the contest by contacting Sponsor via e-mail at pwn2own@trendmicro.com and indicating in which categories the contestant wishes ...
[40]
Rev Up for Pwn2Own Automotive 2025: Here Are the Contest Rules ...
Sep 25, 2024 · Points are earned for successful exploit attempts, with the first demonstration in each category winning the cash prize. Since the order of ...
[41]
Pwn2Own Ireland 2025 Offers $1 Million Reward For WhatsApp ...
Aug 2, 2025 · Expanded Contest Categories Set for October 21–24, 2025 in Cork, Ireland, Pwn2Own will feature eight distinct categories. In addition to ...
[42]
Pwn2Own Automotive 2026 Offers $3M+ in Prizes for Security ...
Pwn2Own Automotive 2026 unveils a $3M+ prize pool for identifying security flaws in automotive tech. Tags: Pwn2Own, automotive security.
[43]
Chrome, Firefox, Safari and IE – All Browsers Hacked at Pwn2Own ...
Mar 22, 2015 · Chrome, Firefox, Safari and IE – All Major Browsers Hacked at Pwn2Own Hacking Competition and hacker earns $225000.
[44]
All four major browsers take a stomping at Pwn2Own hacking ...
Mar 20, 2015 · In all, this year's Pwn2Own unearthed five bugs in Windows, four bugs in IE 11, three bugs in Mozilla Firefox, three bugs in Reader, three bugs ...Missing: high- | Show results with:high-
[45]
Researchers Awarded $552,500 at Pwn2Own 2015 - SecurityWeek
Mar 20, 2015 · He hacked Chrome (both the stable and beta versions), Internet Explorer, and Safari. The Chrome attack earned him a total of $110,000, which is ...
[46]
Gone in 2 Minutes: Mac Gets Hacked First in Contest
Mar 28, 2008 · She expects both systems to be hacked on Friday, when contest rules will be further eased, and hackers will be able to attack popular third- ...
[47]
Windows 11 and Red Hat Linux hacked on first day of Pwn2Own
May 15, 2025 · Windows 11 was hacked twice more to gain SYSTEM privileges by Marcin Wiązowski, who exploited an out-of-bounds write vulnerability, and Hyeonjin ...
[48]
Red Hat: Hacked at Pwn2Own Berlin Important Exploit 2025
May 16, 2025 · Red Hat Enterprise Linux got hacked during the Pwn2Own Berlin 2025 competition. Let that sink in for a moment. This is one of the go-to systems for businesses.Missing: notable | Show results with:notable
[49]
Hacks at Pwn2Own Vancouver 2023 - Schneier on Security
Mar 27, 2023 · They also used a TOCTOU zero-day vulnerability to escalate privileges on Apple macOS and earned $40,000. Oracle VirtualBox was hacked using an ...
[50]
Windows, macOS, and Tesla exploits debuted at Pwn2Own hacking ...
Mar 23, 2023 · Researchers took home more than $375000 in winnings on the first day of the competition.
[51]
Streaming vulnerabilities from Windows Kernel - Part I
Aug 23, 2024 · Last year, MSKSSRV (Microsoft Kernel Streaming Service) became a popular target for hackers. ... Microsoft Windows 11 during Pwn2Own ...
[52]
CVE-2025-4919: Corruption via Math Space in Mozilla Firefox
Jul 15, 2025 · At Pwn2Own Berlin 2025, Manfred Paul compromised the Mozilla Firefox renderer process using a vulnerability in IonMonkey but did not further ...
[53]
Over $1 Million Offered at New Pwn2Own Automotive Hacking Contest
Sep 1, 2023 · The first Pwn2Own Automotive will have four categories, namely Tesla, in-vehicle infotainment (IVI), electric vehicle chargers, and operating ...Missing: records specialized
[54]
Pwn2Own Automotive 2025 Ends with 49 New Zero-Days - Hackster.io
The cash-for-vulnerabilities competition's automotive spin-off hands out nearly $900000 in prizes to this year's entrants.
[55]
Pwn2Own Miami: Hackers earn $400,000 by cracking ICS platforms
Apr 22, 2022 · Other researchers and bug bounty hunters successfully demonstrated previously unknown zero-day vulnerabilities in industrial control platforms ...
[56]
These hackers showed just how easy it is to target critical infrastructure
Apr 21, 2022 · In 2012, he hacked a brand-new iPhone and took home $30,000 while on center stage at Pwn2Own, the biggest hacking contest in the world.
[57]
[PDF] SysPWN – VR for Pwn2Own - NCC Group
Yearly vulnerability research competition held by Trend Micro (ZDI - Zero Day Initiative). • Pwn2Own Mobile (October/November). • Pwn2Own Desktop (March).
[58]
Disclosure Policy - Zero Day Initiative
This policy outlines how the Zero Day Initiative (ZDI) handles responsible vulnerability disclosure to product vendors, Trend Micro customers, security vendors ...
[59]
CVE-2024-2887: A Pwn2Own Winning Bug in Google Chrome
May 2, 2024 · This bug was quickly patched by both Google and Microsoft. Manfred has graciously provided this detailed write-up of the vulnerability and how ...
[60]
VMware and Pwn2Own 2025 - Berlin
May 20, 2025 · Pwn2Own 2025 has been wrapped-up and we have witnessed successful exploitation of some of the very well-known products.
[61]
VMware Flaws That Earned Hackers $340,000 at Pwn2Own Patched
Jul 17, 2025 · Four vulnerabilities disclosed at the Pwn2Own Berlin 2025 hacking competition have been patched in VMware products.Missing: famous | Show results with:famous
[62]
Pwn2own — Latest News, Reports & Analysis | The Hacker News
Chrome, Firefox, Safari and IE – All Browsers Hacked at Pwn2Own Competition. Mar 22, 2015. The Annual Pwn2Own Hacking Competition 2015 held in Vancouver is ...<|separator|>
[63]
Chrome Update Patches Zero-Day Vulnerabilities Exploited at ...
Mar 27, 2024 · Google ships a security-themed Chrome browser refresh to fix flaws exploited at the CanSecWest Pwn2Own hacking contest.
[64]
Competing in Pwn2Own 2021 Austin: Icarus at the Zenith
Mar 26, 2022 · At least, that's what we thought was the path of least resistance. ... Vendor patching bugs at the last minute can be stressful and is ...
[65]
A 3-Year Tale of Hacking a Pwn2Own Target: The Attacks, Vendor ...
As the first team to successfully hack it, we will share our experiences, stories, and insights throughout our past 3-year research journey.
[66]
https://www.zerodayinitiative.com/blog/2024/7/15/uncoordinated-vulnerability-disclosure-the-continuing-issues-with-cvd
[67]
Zero Day Initiative seeing an increase in failed patches - TechTarget
Aug 16, 2022 · And when we go to the vendor, if there's a disagreement, we have a vested interest in ensuring that those bugs are actually patched and released ...
[68]
Charlie Miller skipping Pwn2Own as new rules change hacking ...
Due to our disagreement about the best way to get the most vulnerabilities fixed, Google has withdrawn sponsorship of Pwn2Own. We understand their reasons for ...
[69]
https://www.securityweek.com/1m-whatsapp-hack-flops-only-low-risk-bugs-disclosed-to-meta-after-pwn2own-withdrawal/amp/
[70]
China's security researchers stopped from attending Pwn2Own
Mar 8, 2018 · The Chinese government has taken steps to discourage its country's security researchers from sharing their knowledge at some foreign cybersecurity events.
[71]
China discourages its hackers from foreign competitions so they don ...
Mar 21, 2018 · China is discouraging its internet security experts from taking part in international hacking competitions because of national security concerns.
[72]
China's Vulnerability Research: What's Different Now?
Oct 8, 2025 · Modeled on Pwn2Own, it brings together top domestic security researchers to demonstrate zero-day exploits against widely used software and ...
[73]
China Targets US With Hacking Contests - Newsweek
Jun 20, 2024 · At the Pwn2Own competition, Chinese teams' winnings increased from 13 per cent in 2014 to 79 per cent by 2017. Realising the strategic value, ...<|control11|><|separator|>
[74]
When China hoards its hackers everyone loses - Engadget
Mar 16, 2018 · But this year, according to Pwn2Own manager Brian Gorenc, China is no longer allowing its researchers to compete. Prior to the start of Pwn2Own ...
[75]
Focus Changes To Kernel Exploits As Browsers Get Harder To Hack
Mar 16, 2018 · This year's Pwn2Own competition was less intense, as many Chinese security teams were banned from participating. However, as browsers ...
[76]
Chinese Hacking Competitions Fuel the Country's Broad Cyber ...
Apr 30, 2025 · Participants are required to turn findings over to the Chinese government.
[77]
From World Champions to State Assets: The Outsized Impact of a ...
Sep 3, 2024 · By 2018, the Chinese government had barred vulnerability researchers from competing in international hacking events such as Pwn2Own. As a ...
[78]
Pwn2Own Tokyo hacking contest trashed, export rules blamed
Sep 3, 2015 · The first bona fide casualty of the Wassenaar changes: HP won't be doing PWN2OWN Mobile in Japan due to new export restrictions. But ...<|separator|>
[79]
Full article: The regimes of ethical hacking: moral projects and the ...
This article examines the historical evolution of ethical hacking and vulnerability disclosure practices from the 1990s to the present day.<|separator|>
[80]
Handling Vulnerabilities: Full Disclosure vs. Responsible Disclosure
Aug 16, 2018 · “Full disclosure” involves the immediate publication of a vulnerability without any delay for any reason.
[81]
Responsible vulnerability disclosure in 2025: Why the debate still ...
Oct 8, 2025 · The argument for immediate disclosure is that it forces slow-moving vendors to act fast. Once the exploit has been published, they have to patch ...
[82]
How China's Cyber Ecosystem Feeds Off Its Superstar Hackers
Jun 14, 2024 · Chinese researchers were banned from attending hacking competitions held outside the country, and in 2018 an equivalent domestic event, the ...
[83]
https://www.securityweek.com/pwn2own-whatsapp-hacker-says-exploit-privately-reported-to-meta/
[84]
Zero Day Initiative: Home
Our goal is to encourage the reporting of zero day vulnerabilities responsibly to the affected vendors.About ZDI · Published Advisories · Program Benefits · Upcoming Advisories
[85]
https://www.bleepingcomputer.com/news/security/hackers-exploit-34-zero-days-on-first-day-of-pwn2own-ireland/
[86]
https://cyberpress.org/hackers-exploit-34-zero-day-flaws/
[87]
Firefox Security Response to pwn2own 2025 - The Mozilla Blog
May 17, 2025 · Pwn2Own is an annual computer hacking contest where participants aim to find security vulnerabilities in major software such as browsers. This ...
[88]
Firefox Patches 2 Zero-Days Exploited at Pwn2Own Berlin with $100 ...
May 19, 2025 · Mozilla patched 2 Firefox zero-days exploited at Pwn2Own Berlin, risking code execution via JavaScript flaws.
[89]
Lesson From Pwn2Own: Focus On Exploitability - Dark Reading
Talented programmers can create attack code quickly, suggesting that firms need to focus on patching easily exploitable -- not just exploited -- flaws.
[90]
https://nascompares.com/news/pwn2own-ireland-2025-synology-and-qnap-devices-hacked-for-over-335000/
[91]
Trend Micro's Zero Day Initiative Celebrates 20 Years of Industry ...
Aug 7, 2025 · The now-famous Pwn2Own competition followed in 2007, offering teams of researchers an opportunity to go head-to-head against each other and the ...
[92]
Demystifying The Market For Zero-Day Software Exploits - Packetlabs
May 17, 2024 · Pwn2Own is sponsored by Zero Day Initiative (ZDI) to acquire zero-days, then reports them to the companies affected with the goal of getting ...
[93]
RondoDox: From Pwn2Own Vulnerabilities to Global Exploitation
Oct 14, 2025 · Weaponizing known vulnerabilities for botnet expansion · A stealthy botnet built to infect everything · The exploit shotgun approach · The ...Missing: resolutions | Show results with:resolutions
[94]
I remember reading somewhere that hardcore foreign teams ...
Dec 11, 2022 · You probably won't see many top tier vulnerabilities at pwn2own. Zerodium is definitely a bit too well known to have actual market pricing for ...
[95]
The Global Zero-Day Market Exposed - When Even Amateur ...
Apr 11, 2025 · These initiatives, along with hacking contests like Pwn2Own, provide a structured and lawful market for exploits—where vulnerabilities are ...
[96]
SharePoint exploit: the ToolShell attack timeline | White Blue Ocean
Sep 25, 2025 · A Pwn2Own exploit for Microsoft SharePoint has being used to attack US government agencies and businesses. The attack, called ToolShell, has ...
[97]
SharePoint ToolShell | Zero-Day Exploited in-the-Wild ... - SentinelOne
Jul 21, 2025 · SentinelOne shares distinct attack clusters and a detailed timeline of events on an active exploit of the ToolShell 0-day in MS SharePoint.<|control11|><|separator|>
[98]
ToolShell - A Critical SharePoint Vulnerability Chain under Active ...
Jul 24, 2025 · In July 2025, Viettel Threat Intelligence observed an actively exploited chain of critical vulnerabilities targeting Microsoft SharePoint ...
[99]
From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Oct 9, 2025 · December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Own Toronto 2022.Missing: changes 2011-2022