Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pwn2Own 2017 Offers Big Bounties For Linux, Browser, and Apache Exploits (eweek.com)

Posted by EditorDavid on from the big-bug-bounties dept.

Now that TrendMicro owns TippingPoint, there'll be "more targets and more prize money" according to eWeek, and something special for Pwn2Own's 10th anniversary in March. Slashdot reader darthcamaro writes: For the first time in its ten-year history, the annual Pwn2Own hacking competition is taking direct aim at Linux. Pwn2Own in the past has typically focused mostly on web browsers, running on Windows and macOS. There is a $15,000 reward for security researchers that are able to get a local user kernel exploit on Ubuntu 16.10. The bigger prize though is a massive $200,000 award for exploiting Apache Web Server running on Ubuntu.
"We are nine weeks away," TrendMicro posted Wednesday, pointing out that they're giving out over $1 million in bounties, including the following:
  • $100,000 for escaping a virtualization hypervisor
  • $80,000 for a Microsoft Edge or Google Chrome exploit
  • $50,000 for an exploit of Adobe Reader, Microsoft Word, Excel or PowerPoint
  • $50,000 for an Apple Safari exploit
  • $30,000 for a Firefox exploit
  • $30,000, $20,000 and $15,000 for privilege-escalating kernel vulnerabilities on Windows, macOS and Linux (respectively)
  • $200,000 for an Apache Web Server exploit

19 of 56 comments (clear)

  1. thought by buddyglass · · Score: 4, Interesting

    Microsoft, Adobe, Google, Apple, and maybe some of the larger linux contributors/users (IBM, Oracle, Amazon) should form a sort of "consortium" and chip in $1M/year each to fund a much more lucrative version of pwn2own. That's chump change to them. With ~$8M in prizes yearly, I dare say we'd eliminate a lot of security flaws.

    1. Re:thought by buddyglass · · Score: 2

      If you offer the money and nobody claims it then you haven't lost. If nothing else, you can use it as P.R.

      Now that I've had some time to think about it more, what would worry me is that if the prize were lucrative enough, people might delay reporting flaws they've found in order to claim the yearly prize. So it would really need to be an "all the time" thing and not necessarily a yearly thing.

    2. Re:thought by Gumbercules!! · · Score: 2

      They're not hoping people will magically discover flaws because of the reward, rather that they will turn in known vulnerabilities or not hand them over to the black market, for money.

  2. Apache is trivial to exploit by Anonymous Coward · · Score: 1

    When paired with mod_php it is child's play.

    How about targeting nginx, a superior web server?

    1. Re:Apache is trivial to exploit by ledow · · Score: 2

      Go claim your $200,000 then.

    2. Re:Apache is trivial to exploit by 93+Escort+Wagon · · Score: 3, Funny

      Go claim your $200,000 then.

      One problem - his mom won't let him travel alone...

      --
      #DeleteChrome
    3. Re:Apache is trivial to exploit by gravewax · · Score: 1

      I would expect the Apache prize to be claimed pretty quickly, They seem to have gotten worse in recent years rather than improving.

  3. Submitter missed one of the bounties by 93+Escort+Wagon · · Score: 4, Funny

    $1.99 for a working IIS exploit.

    --
    #DeleteChrome
    1. Re: Submitter missed one of the bounties by pellik · · Score: 2

      That would blow the budget.

    2. Re:Submitter missed one of the bounties by wvmarle · · Score: 1

      Joking aside, if prize money is related to the difficulty of an exploit, then why is a Linux kernel exploit half the price of a Windows kernel exploit?

  4. Big Money Prizes by PopeRatzo · · Score: 1

    As you all know, first prize is a Cadillac El Dorado. Anybody want to see second prize? Second prize is a set of steak knives. Third prize is you're in prison.

    And by the way, all of you now work for the government, comrades.

    --
    You are welcome on my lawn.
  5. It's about time! by Gravis+Zero · · Score: 2

    Having a competition to attack Windows and OSX is fine and all but it's not helpful to anyone trying to run a secure system. I'm looking forward to any number of Linux kernel exploits because it's running on most servers... and my desktop. :)

    --
    Anons need not reply. Questions end with a question mark.
  6. Can kind of see security by price... by cant_get_a_good_nick · · Score: 1

    Chrome and Edge the hardest, safari a bit less secure, Firefox at the bottom. at least they're in the competition - they used to be so insecure as to not worth being in the competition

  7. Why these numbers? by garote · · Score: 1

    Why is the Safari bounty higher than the Firefox bounty, even though more people are on Firefox? More backing from Apple? More easily exploited target userbase?

  8. Firefox is back! And windows exploit more $$$? by tlhIngan · · Score: 1

    Well, the good news is that Firefox is back! It was banned a few years because it was considered so insecure that there was no challenge in finding a new exploit.

    Though, $30,000 for a Windows kernel elevation exploit? It seems like a lot of money, especially since macOS gets you $20,000 and Linux a measly $15,000.

    1. Re:Firefox is back! And windows exploit more $$$? by Gumbercules!! · · Score: 1

      Windows kernel exploits are worth more because they're worth more on the open market (because that's where the corporate data is and corporations pay ransoms). pwn2own has to compete with the black market, after all. If you discover have a Windows exploit - you can sell it for a lot of money if you sell it exclusively. Not so much an OSX and even less a Linux desktop exploit. So market forces dictate that, if you want people to actually turn up to pwn2own and show you their exploits, you need to make it attractive, not just to pure whitehats but to greyhats, too. If they can get $50,000 or something from "some guy in Russia" you can't very well offer $5,000 and hope they tell you out of the goodness of their hearts.

    2. Re:Firefox is back! And windows exploit more $$$? by wvmarle · · Score: 1

      That wouldn't explain why Edge has so high a price on its exploits, as it's one of the smaller browsers nowadays.

    3. Re:Firefox is back! And windows exploit more $$$? by Gumbercules!! · · Score: 1

      Possibly - but there's likely a similar set of drivers. a) Microsoft is paying for the bounties. b) Again, criminals know if they can break Edge, they will get a sizeable number home users now and more in the future and c) (some) corporations are more likely to use Edge than Chrome, especially as more move to Windows 10.

    4. Re:Firefox is back! And windows exploit more $$$? by benjymouse · · Score: 1

      Windows kernel exploits are worth more because they're worth more on the open market (because that's where the corporate data is and corporations pay ransoms). pwn2own has to compete with the black market, after all.

      Wrong. All of these prizes are far below what a zero-day exploit is worth on the black market. This contest is not a way to overbid the black market; rather it is a way for white-hats to showcase their skills and bring attention to vulnerabilities.

      The prizes a set to reflect the expected difficulty; the hardest target - the ones that involves the most work - pays most. Virtual machine escapes are considered really hard because of the very limited attack surface.

      Windows 10 is considerably harder to crack than Linux and OS/X. The latter 2 still have *far* to many services running as root and still exposes a lot of SUID root executables. Windows 10 has also adopted many of the EMET anti-exploit techniques. You'd have to harden Linux with grsecurity to achieve the same level.

      --
      Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*