Hewlett-Packard's Zero Day Initiative (ZDI) yesterday spelled out the rules for its March hacking contest, Pwn2Own, which will put two-thirds of $1 million in prize money on the table for researchers who can hack the biggest browsers and most popular plug-ins.
ZDI is HP's bug-bounty program, run by its TippingPoint division, a maker of intrusion prevention system (IPS) and firewall appliances for corporate networks.
[ GitHub bug bounties: Smaller, more focused is better | Learn how to secure your systems with the Web Browser Deep Dive PDF special report and Security Central newsletter, both from InfoWorld. ]
The 2014 edition of Pwn2Own will offer $645,000 in potential awards to hackers who demonstrate exploits of previously unknown vulnerabilities in Google's Chrome, Mozilla's Firefox, Microsoft's Internet Explorer (IE), or Apple's Safari, or the Adobe Reader, Adobe Flash, or Oracle Java browser plug-ins.
Those targets were also the focus of last year's challenge.
Prizes will be awarded on a sliding schedule, with $100,000 for the first to hack Chrome or IE11 on Windows 8.1. Payments will drop to $75,000 for Adobe Flash or Reader running in IE11, then slide through other targets before ending at $30,000 for Java. Prizes will also be given for exploiting Safari ($65,000) and Firefox ($50,000).
A new $150,000 prize will also be at stake for what HP called the "Exploit Unicorn," a multi-exploit string able to not only hack IE11 on Windows 8.1, but also obtain system-level code execution when Microsoft's Enhanced Mitigation Experience Toolkit (EMET), a utility that manually enables anti-exploit technologies such as ASLR (address space layout randomization) and DEP (data execution prevention) for specific applications, is enabled.
"We're trying to highlight the prowess of the best researchers in the world," said Brian Gorenc, manager of vulnerability research for ZDI, in an interview Friday, referring to the grand prize. "We know that researchers are looking at this [EMET], and we wanted to make this extra difficult."
To grab the $150,000, researchers will have to bypass IE11's "sandbox," a defensive technology that isolates the browser from the rest of the operating system, then leverage at least one additional vulnerability to gain system access -- all while EMET is in action.
While Gorenc acknowledged that the addition of EMET is in part an artificial hurdle designed to make exploitation more difficult, there's some method to the madness: Microsoft has increasingly pitched EMET, even to individual users, as a stop-gap defense to use between the time a new vulnerability has been discovered and when the bug is patched.
Pwn2Own, which is in its eighth year, will run March 12-13 at the CanSecWest security conference in Vancouver, British Columbia. Google will also be running its own Pwnium contest -- which will pit researchers against its Chrome OS -- at CanSecWest, and will be kicking in 25 percent of the prize money for Pwn2Own.
This year's Pwn2Own will again use a random drawing to choose the order that researchers tackle a target. Each researcher or team of researchers will have 30 minutes to demonstrate their exploit. If successful, the prize money will be awarded and researchers who didn't get a favorable draw will be out of luck.