Over the last several years, the Pwn2Own hacking challenge has become known as the place where browsers get hacked, sometimes within just a matter of minutes. This year, the event’s organizers at HP TippingPoint’s Zero Day Initiative (ZDI) are looking to project a more serious demeanor and downplay the sensational nature of the contest — even as they change the rules in an effort to demonstrate a record number of exploited security vulnerabilities.
“In the past, due to the way the competition was architected, we had lots of sensationalist headlines, things like ‘Mac hacked in three seconds’,” said Aaron Portnoy, Manager of the Security Research Team at HP TippingPoint, in a conversation with InternetNews.com. “We don’t think that type of sensationalism was representative of all the research that was going on.”
In previous years, researchers would go on stage to demonstrate a vulnerability, sometimes in under a minute. At the 2011 event, Apple Safari and Microsoft’s IE were hacked on the first day. At the event two years prior, Safari was hacked in under two minutes.
The events in previous years also used a random drawing to determine which researcher would get the opportunity to demonstrate their vulnerability exploit. As such, even if there were five researchers ready to demonstrate a Firefox 0-day vulnerability, only one was admissible to win the contest.
“The problem with that is that it’s not much of a competition, as the researchers were not really competing against each other as it was just a random drawing,” Portnoy said. “As well, the vulnerabilities that other contestants had, but were not able to demonstrate at the contest, were not being fixed and were just kind of ignored.”