"Use-after-free" is a term for a type of memory management bug, while "broker" is the label for the part of the sandbox that acts as the supervisor for all protected processes. A flaw in a broker, as Vupen demonstrated, can have catastrophic effects, letting a hacker escape the sandbox and execute attack code.
Vupen also exploited Adobe Flash and Firefox, Mozilla's open-source browser, winning prizes of $75,000 and $50,000, respectively.
Mlynski and Aedla each won $50,000 for hacking Firefox. Gorenc confirmed that the three Firefox attempts exploited different vulnerabilities.
Both Mlynski and Aedla are experienced researchers: Mlynski has reported several Firefox vulnerabilities to that browser's security team, while Aedla earned more than $10,000 in bug bounties by submitting numerous Chrome flaws to Google in 2011 and 2012.
TippingPoint and its ZDI bounty program have sponsored or co-sponsored Pwn2Own since its 2007 inception. After researchers hand over the vulnerabilities they used to hack targets -- and their exploit code -- ZDI confirms the results, then passes the information to the pertinent vendors, which all had representatives on-site, ready to jump on patching.
"I think we hit it out of the park this time," said Gorenc of ZDI, referring to how smoothly Pwn2Own ran Wednesday. "We gave the contestants 30 minutes each, but most of them demonstrated their exploits within minutes, all within five minutes, and then used the remaining time to go to the disclosure room where vendors waited."
Before Pwn2Own kicked off at noon PT Wednesday at CanSecWest -- the Vancouver, British Columbia, security conference that has hosted the contest for the last eight years -- ZDI and Google sponsored a new challenge, dubbed "Pwn4Fun," where the two sponsors raised $82,500 for the Canadian Red Cross by presenting vulnerabilities and exploits of their own.
The Google team cracked Apple's Safari at Pwn4Fun, while ZDI presented a multi-exploit hack of IE11 and disclosed six additional Internet Explorer vulnerabilities that its own researchers had found over the last two weeks, said Gorenc.
Some had taken to Twitter over the last week to criticize Google and ZDI for Pwn4Fun, arguing that because the two teams had "banked" vulnerabilities to use in the charity drive, they were being hypocritical by not immediately informing the vendors -- Apple and Microsoft in this case -- of the bugs.
But Gorenc defended Pwn4Fun. "We made the browsers safer [with Pwn4Fun], and we're excited about that," Gorenc said.
Pwn2Own continues today, with Vupen and several independent researchers slated to tackle Apple's Safari and Google's Chrome, as others take additional attempts at Adobe Flash, Firefox and Internet Explorer.
Among today's scheduled contestants is George Hotz, also known as "geohot," a noted iPhone and Sony PlayStation 3 hacker, who will try his hand at breaking Firefox. Hotz has participated in previous Pwn2Own challenges, including last year's, where he exploited Adobe Reader for a $70,000 prize.
Also yesterday, Google ran its own one-day "Pwnium 4" contest at CanSecWest, pitting researchers against Chrome OS, the browser-based operating system that powers Chromebook laptops. According to a company post on Google+, one researcher successfully exploited Chrome OS on an HP Chromebook 11, winning the notebook and a $150,000 prize.
"We'll be considering partial credit for a second researcher working on the same platform," Google wrote, adding that it would publish a longer recap after CanSecWest concludes on Friday.
ZDI has posted a brief description of the results on its website.
"This is a first for the white hat market," said Gorenc of the first day's total awards of $400,000. "Over two days, we'll probably pay out over a million dollars for responsibly disclosed vulnerabilities. We're excited to do that."
This article, Researchers pocket record $400K at Pwn2Own hacking contest's first day, was originally published at Computerworld.com.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+, or subscribe to Gregg's RSS feed. His e-mail address is firstname.lastname@example.org. See more articles by Gregg Keizer.
Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.