"The [six-month deadline] policy helped create the numbers of this year," Brown said.
Among the most interesting trends in bugs bought this year, ZDI said vulnerabilities in industrial control systems -- dubbed SCADA for "supervisory control and data acquisition" -- topped the list.
ZDI acquired six SCADA vulnerabilities in 2011 that affected software created by General Electric, Honeywell, and InduSoft.
"We have some pretty serious [SCADA] bugs," said Brown. "And so far, our experience with the vendors has been great."
ZDI has not released any zero-day advisories for SCADA bugs it's obtained, but Portnoy said that TippingPoint was not above dropping one if a patch wasn't aggressively pursued.
He attributed the interest in SCADA vulnerabilities to last year's Stuxnet, the worm most experts believe was crafted to sabotage Iran's nuclear fuel enrichment program by damaging centrifuges at one or more facilities.
TippingPoint is working with ICS-CERT (Industrial Control Systems Cyber Emergency Response Team), part of US-CERT, which in turn is within the Department of Homeland Security, to coordinate the disclosure of the SCADA bugs it's obtained.
Portnoy said that ZDI would "step up the stakes" of the contest by modifying both the format of the contest and the prizes awarded. He declined to reveal more information about 2012's Pwn2Own, but promised to provide more information to researchers early next year.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers, and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is email@example.com.
Read more about security in Computerworld's Security Topic Center.