Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×
Security Chrome Desktops (Apple) Firefox Safari Virtualization Windows Apache Linux

Pwn2Own 2017 Offers Big Bounties For Linux, Browser, and Apache Exploits (eweek.com) 56

Now that TrendMicro owns TippingPoint, there'll be "more targets and more prize money" according to eWeek, and something special for Pwn2Own's 10th anniversary in March. Slashdot reader darthcamaro writes: For the first time in its ten-year history, the annual Pwn2Own hacking competition is taking direct aim at Linux. Pwn2Own in the past has typically focused mostly on web browsers, running on Windows and macOS. There is a $15,000 reward for security researchers that are able to get a local user kernel exploit on Ubuntu 16.10. The bigger prize though is a massive $200,000 award for exploiting Apache Web Server running on Ubuntu.
"We are nine weeks away," TrendMicro posted Wednesday, pointing out that they're giving out over $1 million in bounties, including the following:
  • $100,000 for escaping a virtualization hypervisor
  • $80,000 for a Microsoft Edge or Google Chrome exploit
  • $50,000 for an exploit of Adobe Reader, Microsoft Word, Excel or PowerPoint
  • $50,000 for an Apple Safari exploit
  • $30,000 for a Firefox exploit
  • $30,000, $20,000 and $15,000 for privilege-escalating kernel vulnerabilities on Windows, macOS and Linux (respectively)
  • $200,000 for an Apache Web Server exploit

This discussion has been archived. No new comments can be posted.

Pwn2Own 2017 Offers Big Bounties For Linux, Browser, and Apache Exploits

Comments Filter:
  • thought (Score:5, Interesting)

    by buddyglass ( 925859 ) on Saturday January 21, 2017 @03:40PM (#53711947)
    Microsoft, Adobe, Google, Apple, and maybe some of the larger linux contributors/users (IBM, Oracle, Amazon) should form a sort of "consortium" and chip in $1M/year each to fund a much more lucrative version of pwn2own. That's chump change to them. With ~$8M in prizes yearly, I dare say we'd eliminate a lot of security flaws.
  • by Anonymous Coward

    When paired with mod_php it is child's play.

    How about targeting nginx, a superior web server?

  • by 93 Escort Wagon ( 326346 ) on Saturday January 21, 2017 @05:29PM (#53712361)

    $1.99 for a working IIS exploit.

  • As you all know, first prize is a Cadillac El Dorado. Anybody want to see second prize? Second prize is a set of steak knives. Third prize is you're in prison.

    And by the way, all of you now work for the government, comrades.

  • by Gravis Zero ( 934156 ) on Saturday January 21, 2017 @07:27PM (#53712837)

    Having a competition to attack Windows and OSX is fine and all but it's not helpful to anyone trying to run a secure system. I'm looking forward to any number of Linux kernel exploits because it's running on most servers... and my desktop. :)

  • Chrome and Edge the hardest, safari a bit less secure, Firefox at the bottom. at least they're in the competition - they used to be so insecure as to not worth being in the competition

  • Why is the Safari bounty higher than the Firefox bounty, even though more people are on Firefox? More backing from Apple? More easily exploited target userbase?

  • Well, the good news is that Firefox is back! It was banned a few years because it was considered so insecure that there was no challenge in finding a new exploit.

    Though, $30,000 for a Windows kernel elevation exploit? It seems like a lot of money, especially since macOS gets you $20,000 and Linux a measly $15,000.

    • Windows kernel exploits are worth more because they're worth more on the open market (because that's where the corporate data is and corporations pay ransoms). pwn2own has to compete with the black market, after all. If you discover have a Windows exploit - you can sell it for a lot of money if you sell it exclusively. Not so much an OSX and even less a Linux desktop exploit. So market forces dictate that, if you want people to actually turn up to pwn2own and show you their exploits, you need to make it att
      • That wouldn't explain why Edge has so high a price on its exploits, as it's one of the smaller browsers nowadays.

        • Possibly - but there's likely a similar set of drivers. a) Microsoft is paying for the bounties. b) Again, criminals know if they can break Edge, they will get a sizeable number home users now and more in the future and c) (some) corporations are more likely to use Edge than Chrome, especially as more move to Windows 10.
      • Windows kernel exploits are worth more because they're worth more on the open market (because that's where the corporate data is and corporations pay ransoms). pwn2own has to compete with the black market, after all.

        Wrong. All of these prizes are far below what a zero-day exploit is worth on the black market. This contest is not a way to overbid the black market; rather it is a way for white-hats to showcase their skills and bring attention to vulnerabilities.

        The prizes a set to reflect the expected difficulty; the hardest target - the ones that involves the most work - pays most. Virtual machine escapes are considered really hard because of the very limited attack surface.

        Windows 10 is considerably harder to crack tha

The way to make a small fortune in the commodities market is to start with a large fortune.

Working...