Security staff from Hewlett-Packard and Google are to compete in a web browser hacking contest
Hewlett-Packard and its Zero Day Initiative (ZDI) effort have sponsored the Pwn2Own contest at the CanSecWest conference for years now.
At the Pwn2Own event, independent security researchers square off against each other hacking Web browsers for prize money. Never before has HP’s own researchers participated in the actual hacking contest, but that is now set to change.
HP is announcing today the Pwn4Fun event at Pwn2Own, where HP ZDI staff will compete against Google staff to see who can hack browsers with new previously undisclosed exploits.
In the regular Pwn2Own event, researchers are awarded prize money for successful exploitation of Microsoft’s Internet Explorer 11, Mozilla’s Firefox, Apple’s Safari and Google’s Chrome Web browsers. This year’s Pwn2Own event will include a special $150,000 (£90,000) prize for a researcher who is able to successfully exploit IE 11 running on a 64-bit Windows 8.1 operating system, with the Enhanced Mitigation Experience Toolkit (EMET) running.
For the Pwn4Fun event, instead of giving HP and Google researchers prize money, HP is donating money to charity. For an IE or Chrome exploit, HP will donate $50,000 (£29,997); for a Flash exploit, $37,500 (£22,507) will be donated. The Canadian Red Cross will be the recipient.
Brian Gorenc, manager of Vulnerability Research at HP’s Security Research division, told eWEEK that his team will be limiting itself to vulnerabilities discovered internally by members of the ZDI team.
“Vulnerabilities submitted through our external research community are out of scope for our entries,” Gorenc said. “ZDI is using any means necessary to find the flaws that can be used in the competition, with a goal of donating as much money to charity as possible.”
Gorenc said the charity attempts by ZDI and Google will be the first to go at Pwn2Own when the event starts on 12 March.
“Our goal is to ensure every contestant has equal opportunity to win,” he said.
As to why HP is now starting the Pwn4Fun event, Gorenc has a simple answer: “Why not?”
“Pwn2Own highlights some of the best exploit developers in the world,” Gorenc said. “This new session within Pwn2Own provides employees in both HP and Google with the ability to participate, show off their skills and donate a bunch of money to charity.”
He added, “It is a win-win for everyone.”
Are you a security pro? Try our quiz!