HP TippingPoint is revamping its annual Pwn2Own hacking contest,dropping attacks against popular smartphones to focus solely on browser-based vulnerabilities andoffering higher cash payouts to winners.
This is really about keeping the prize amounts at a levelthat is competitive and the research teams feeling like they're getting something worthwhile fortheir efforts.Aaron Portney, HP TippingPoint
The scaled-down contest, which will take place in March at the CanSecWest Conference inVancouver, will completely focus on the browser and give hackers an opportunity to earn points overthree days for performing successful attacks using a zero-day vulnerability. HP TippingPoint is rewarding $105,000 in cash,divided between first, second and third place winners. In addition, Google is participating for thesecond year in a row, offering $10,000 and $20,000 vulnerability payouts to researchers who cansuccessfully demonstrate an exploit using flaws in the Chrome browser.
Aaron Portnoy, the leader of HP TippingPoints security research team, said the goal was tocreate a fair competition for all researchers and research teams and provide cash prizes at a levelthat matches the market for vulnerabilities.
We want to make sure the amount of money were offering is competitive, Portnoy said. If were only offering $20,000, a researcher may not feel that is the type of compensation theirintellectual property deserves.
In the past, a drawing was used to randomly select the order the researchers participated in thecompetition. Under the old rules, a winner would be awarded the cash prize and the target browseror smartphone was immediately taken out of the competition. The revised contest gives allparticipants a chance to compete for a cash prize, Portnoy said. The first place finisher will beawarded $60,000. Second place winner is awarded $30,000, and the third place winner gets$15,000.
This is really about keeping the prize amounts at a level that is competitive and the researchteams feeling like they're getting something worthwhile for their efforts, Portnoy said. Combinedwith what Google is rewarding, the top team or individual can definitely walk away with a lot ofmoney.
The Pwn2Own contest is maintained by the HP TippingPoint Zero Day Initiative team, which rewardsresearchers throughout the year for flaw submissions through its bug bounty program.. TippingPointacquires the rights to the winning vulnerabilities and exploits, and reports the flaws to thecorresponding vendor, giving vendors six months to issue a patch before releasing any informationto the public.
Pwn2Own hacking contest criticism
Charlie Miller, an analyst for the Baltimore-based consulting firm Independent SecurityEvaluators, criticized the competition last year saying it encourages researchers to weaponizeexploits. Miller, who has won the competition several times, told ComputerWorldthe contest grew to the point where only a few researchers walked away with cash prizes. Meanwhile,contestants who were unable to compete because they drew a bad spot in the random drawing were ableto walk away from the competition with working exploits, Miller said.
The contest also has been strained in recent years by new vulnerability rewards programs offeredto researchers by other security vendors. In addition, Mozillaand Googlerun their own bug bounty programs. Microsoft does not support a vulnerability bounty program. The software giant announced a BlueHat competition at Black Hat 2011 that pays out up to $260,000 in cash to researchers who candevelop a technology that prevents attackers from targeting memory safety vulnerabilities.
The Pwn2Own smartphone hacking competition was added in 2010. A problem surfaced last year, whena team of researchers exploitedmultiple Webkit vulnerabilities in a browser attack against a BlackBerry Torch 9800 smartphone.The Webkit rendering engine is used in the Chrome, Safari and Blackberry browsers. The bugswere fixed by the Webkit development team, but cellphone carriers were slow to push out a securityupdate, leaving some handsets open to attack.
Vulnerabilities fixed in Webkit today could be used against the iPhone or BlackBerry formonths, because it takes a long time to distribute updates through the carriers to the devices,Portnoy said. Were trying to avoid all those issues.
New point-based system
Under the new rules, a researcher or a research team can compete for the cash prizes bydemonstrating a successful attack using a zero-day flaw in the Internet Explorer, Firefox, Safarior Chrome browsers. Researchers will receive 32 points for each successful attack. Unlike previousyears, the target browser will not be removed from the contest if someone demonstrates anexploit against it, Portnoy said. This gives more researchers an opportunity to compete, hesaid.
On-site exploit development
Researchers can also gain points by demonstrating their ability to develop a browser-basedexploit using patched vulnerabilities provided by HP TippingPoint. Each contestant will be given avirtual machine and proof-of-concept for two vulnerabilities in each of the four browsers. Anexploit written on the first day of the contest is worth 10 points, the second day of the contestan exploit is worth 9 points and 8 points on the third day of the contest.
Google Chrome cash prizes
Search engine giant Google is offering rewards for two classes of vulnerabilities. The companywill reward $20,000 for each full, unsandboxed code execution vulnerability that is demonstratedagainst Chrome. A researcher or research team that demonstrates a partial Chrome hack executingagainst a Chrome vulnerability and an operating system flaw will receive $10,000 for eachattack. All other unique exploits against Chrome will be rewarded $10,000.
0 comments:
Post a Comment