PWN2OWN: What’s a Vulnerability Worth?

Every day, hackers around the world try and find exploits in Web browsers and mobile platforms. Today, however, at least some will be helping the industry.

That’s the thinking behind the third annual PWN2OWN contest, which kicks off today at the CanSecWest conference in Vancouver, British Columbia. There, security researchers will be looking for vulnerabilities and profiting from them immediately — with cold hard cash.

The three-day effort PWN2OWN contest isn’t just about exposing holes in software so that hackers can get a payout. Rather, the contest is designed as a legitimate way to help vendors find and fix security holes before they are exploited in the wild — where they can do real damage.

This year, PWN2OWN winners could be walking away with as much as US$10,000 per vulnerability, thanks to security vendor TippingPoint, the contest’s lead sponsor.

“We support security research — it’s the foundation of what we do,” Terri Forslof, manager of security response at TippingPoint DVLabs, told “Now we’re looking at year three, and it’s always a challenge to make it fresh and interesting.”

In the past, PWN2OWN has targeted Web browsers in particular, and they’ll again be a focus this year. In addition, this year’s contest will also go after mobile platforms, including Apple’s iPhone, Google’s Android, Nokia-owned Symbian, the Research in Motion Blackberry and Windows Mobile-based devices.

“We’re taking all these latest and greatest platforms and not just looking for the mobile browser issues specifically, because that’s an obvious area,” Forslof said. “Making a prediction: Apple iPhone is perhaps the weakest target because of its browser.”

The iPhone uses Apple’s (NASDAQ: AAPL) Safari Web browser, which has been specifically targeted over the last two years as a means of attack.

In addition to exploring the security of mobile browsers, Forslof said researchers at PWN2OWN also will be looking at the core networking and wireless features of the devices — including radio interaction and SMS — as well as default application issues on the devices.

How to win

The key to winning is to produce a vulnerability that can be exploited — and not just a bug that leads to a recoverable crash. On the mobile side, Forslof said aspiring hackers will have to be able to gain unauthorized access to take over the phone to be eligible for a prize.

For browser vulnerabilities, Forslof said that TippingPoint will pay US$5,000 per vulnerability discovered, with Sony Vaios and MacBooks as additional prizes. She explained that what typically happens is that the first person to hack the device wins it.

On the mobile side, the top cash prize will be US$10,000, and the winner will also get to keep the mobile device they hacked.

There can also be more than one winner for either the mobile or browser categories.

“If more than one person produces a vulnerability, we’ll purchase multiple vulnerabilities,” Forslof said.

Vendor Support

Forslof claimed that TippingPoint has received vendor support from all of the vendors impacted by PWN2OWN. was unable to independently confirm Forslof’s claim by press time.

“We work closely with them beforehand — vendors like Microsoft and Apple,” Forslof said. “This year, we reached out to mobile phone vendors.”

She added that the vulnerabilities found at PWN2OWN are not a risk to vendors, in that the issues participants uncover are handed over to the vendors immediately.

“The vendors we work with appreciate what we do — we provide incentives to researchers to find vulnerabilities,” Forslof stated.

Many tech vendors do not buy vulnerabilities as a matter of corporate policy, however. So for TippingPoint to pay for their discovery, it provides a go-between — but it doesn’t mean the vendors are buying the vulnerabilities from TippingPoint.

“They recognize as the majority of industry does, that there is an economic model growing around this raw material,” Forslof said. “So we can provide the monetary incentive to get people to come forward with vulnerabilities.”

She explained that TippingPoint gets the researchers to sign non-disclosure agreements, and they also track the issue to ensure it doesn’t leak into the wild.

“It would be nice if money was changing hands for us, but we have no arrangement with any of the vendors with money,” Forslof added. “This is a free service we provide to them.”

TippingPoint, however, is able to recoup some of their costs as an investment in their own security business. The company provides security services that are intended to protect their users from vulnerabilities, both known and unknown.

“For every vulnerability that we’re not scrambling to patch at the last minute, this effort helps us,” Forslof said. “It leaves us free to be focused on the issues we don’t know about.”

News Around the Web