Organizers of Pwn2Ownon Sunday defended the hacking contest’s rules after a three-time winner criticized the challenge for encouraging researchers to “weaponize” exploits.
The contest, which starts March 9, pits researchers against four browsers — Apple’s Safari, Google’s Chrome, Microsoft’s Internet Explorer (IE) and Mozilla’s Firefox — as well as against smartphones running Apple’s iOS, Google’s Android, Microsoft’s Windows 7 Phone and RIM’s BlackBerry OS.
By Pwn2Own’s rules, the first researcher to hack Firefox, IE or Safari, or each of the smartphones, wins a cash prize of $15,000. Taking down Chrome earns $20,000.
The order in which researchers will tackle a target is assigned by a random drawing, and the contest is winner-take-all: Only the first to hack a browser or smartphone walks off with the money.
And that has Charlie Miller, an analyst for the Baltimore-based consulting firm Independent Security Evaluators (ISE), — and the only researcher to have won at Pwn2Own three years running — upset.
“I’m disappointed in how many people have signed up [for Pwn2Own] and how few will win prizes,” Miller said in an interview Friday. “What happens to all these other exploits that don’t win?”
Miller drew the fourth, and final spot for Safari, the browser he’s exploited each of the last three years at Pwn2Own. Along with Dion Blazakis, who also works for ISE, Miller is slated to go second in the iPhone hacking challenge.
Related story –Researcher to demonstrate smartphone radio hack
Being first at Pwn2Own is critical to success, since the level of competition is so stiff, a fact noted not only by Miller but also by Dan Holden, the director of HP TippingPoint’s DVLabs, the contest’s sponsor, in a separate interview Friday.
Miller’s point is that with so many contestants — TippingPoint has said this year’s list is the largest ever — some researchers will go home empty handed. But the vulnerabilities they find and the exploits they create will not be taken off the market.
As per Pwn2Own rules, TippingPoint’s Zero Day Initiative (ZDI) bug bounty program acquires the rights to the winning vulnerabilities and exploits, and swears the researcher to secrecy. ZDI then reports the bugs to the corresponding vendor, and gives that vendor six months to patch the problem before releasing any information to the public.
“There’s no way I’m gonna show my exploit if someone wins ahead of me,” said Miller, pointing to the Safari category, where he said it’s very unlikely the browser will survive three other contestants’ attacks. “So I’m not going to report that vulnerability.”
More important, said Miller, is that he and others have created reliable exploits for unpatched bugs. In security speak, “weaponizing” an exploit means the attack code is more than a theoretical proof-of-concept, but actually works.
“It’s almost dangerous to encourage researchers to weaponize an exploit” that then isn’t taken off the table,” Miller said.
Aaron Portnoy, manager of TippingPoint’s security research team and the organizer of Pwn2Own for each of its five years, countered Miller’s complaint.
“I have to wholeheartedly disagree regarding researchers developing weaponized exploits,” said Portnoy in an e-mail reply to questions. “Those who compete in Pwn2Own usually have a moral reason for doing so. I think many are aware of the less legitimate outlets who pay more for such research [but] they prefer to deal with an entity that discloses the information to the affected vendor who ultimately fixes the vulnerability.”
Although Portnoy’s company won’t distribute cash prizes for all successful hacks this year — a practice it did in 2008, when it gave $5,000 for each zero-day exploit — it will pay for bugs that researchers don’t get a chance to use.
“We are still offering money through the normal [ZDI] program for any vulnerabilities the contestants didn’t get a chance to use,” said Portnoy. “In fact, we are likely able to offer a higher amount of [ZDI] reward points if the submitted information is legitimate and exploitation is demonstrated.”
ZDI does not disclose its bug bounty fee schedule, but awards “reward points” — akin to frequent flier miles — that contributors can cash in for one-time payments.
For his part, Miller said he was thinking of publicly releasing the vulnerabilities and exploits he had for Pwn2Own if he didn’t win at the contest this year.
“Maybe I’ll just drop them all for free, to show them how pissed off I am,” Miller said Friday.
Portnoy called Miller’s comment “discouraging,” but pointed out that there was more to Pwn2Own than the prize money, a factor he thought would prevent researchers from releasing unused vulnerabilities and exploits into the wild.
“The researchers who compete in Pwn2Own are doing so not merely for the money, but for the fame associated with the skills they demonstrate,” Portnoy argued. “I can’t imagine that irresponsible disclosure of vulnerability information with absolutely no vendor notification will attract positive notoriety.”
Pwn2Own is scheduled to run March 9-11 at CanSecWest, a security conference held each year in Vancouver, British Columbia.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg’s RSS feed. His e-mail address is [email protected].