Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pwn2Own 2017 Offers Big Bounties For Linux, Browser, and Apache Exploits (eweek.com)

Posted by EditorDavid on from the big-bug-bounties dept.

Now that TrendMicro owns TippingPoint, there'll be "more targets and more prize money" according to eWeek, and something special for Pwn2Own's 10th anniversary in March. Slashdot reader darthcamaro writes: For the first time in its ten-year history, the annual Pwn2Own hacking competition is taking direct aim at Linux. Pwn2Own in the past has typically focused mostly on web browsers, running on Windows and macOS. There is a $15,000 reward for security researchers that are able to get a local user kernel exploit on Ubuntu 16.10. The bigger prize though is a massive $200,000 award for exploiting Apache Web Server running on Ubuntu.
"We are nine weeks away," TrendMicro posted Wednesday, pointing out that they're giving out over $1 million in bounties, including the following:
  • $100,000 for escaping a virtualization hypervisor
  • $80,000 for a Microsoft Edge or Google Chrome exploit
  • $50,000 for an exploit of Adobe Reader, Microsoft Word, Excel or PowerPoint
  • $50,000 for an Apple Safari exploit
  • $30,000 for a Firefox exploit
  • $30,000, $20,000 and $15,000 for privilege-escalating kernel vulnerabilities on Windows, macOS and Linux (respectively)
  • $200,000 for an Apache Web Server exploit

8 of 56 comments (clear)

  1. thought by buddyglass · · Score: 4, Interesting

    Microsoft, Adobe, Google, Apple, and maybe some of the larger linux contributors/users (IBM, Oracle, Amazon) should form a sort of "consortium" and chip in $1M/year each to fund a much more lucrative version of pwn2own. That's chump change to them. With ~$8M in prizes yearly, I dare say we'd eliminate a lot of security flaws.

    1. Re:thought by buddyglass · · Score: 2

      If you offer the money and nobody claims it then you haven't lost. If nothing else, you can use it as P.R.

      Now that I've had some time to think about it more, what would worry me is that if the prize were lucrative enough, people might delay reporting flaws they've found in order to claim the yearly prize. So it would really need to be an "all the time" thing and not necessarily a yearly thing.

    2. Re:thought by Gumbercules!! · · Score: 2

      They're not hoping people will magically discover flaws because of the reward, rather that they will turn in known vulnerabilities or not hand them over to the black market, for money.

  2. Re:Apache is trivial to exploit by ledow · · Score: 2

    Go claim your $200,000 then.

  3. Submitter missed one of the bounties by 93+Escort+Wagon · · Score: 4, Funny

    $1.99 for a working IIS exploit.

    --
    #DeleteChrome
    1. Re: Submitter missed one of the bounties by pellik · · Score: 2

      That would blow the budget.

  4. Re:Apache is trivial to exploit by 93+Escort+Wagon · · Score: 3, Funny

    Go claim your $200,000 then.

    One problem - his mom won't let him travel alone...

    --
    #DeleteChrome
  5. It's about time! by Gravis+Zero · · Score: 2

    Having a competition to attack Windows and OSX is fine and all but it's not helpful to anyone trying to run a secure system. I'm looking forward to any number of Linux kernel exploits because it's running on most servers... and my desktop. :)

    --
    Anons need not reply. Questions end with a question mark.