Do you consider yourself a hacker, efficient enough to crack world's top four browser and can dive deep into them to catch bugs. If yes then continue reading and jump over to the contest(whose name is pinned at the title itself) after finishing with this post.The contest, which starts March 9, pits researchers against four browsers -- Apple's Safari, Google's Chrome, Microsoft's Internet Explorer (IE) and Mozilla's Firefox -- as well as against smartphones running Apple's iOS, Google's Android, Microsoft's Windows 7 Phone and RIM's BlackBerry OS.
As the Pwn2Own contest gets closer, browser vendors are toughening up their browsers for the upcoming onslaught. Recent releases of the Firefox 3.5.17 and 3.6.14, and Thunderbird 3.1.8 have patched a number of vulnerabilities in the browsers that could have been exploited during the contest.
This comes just a little while after Google patched a number of vulnerabilities in its own Chrome browser, in advance of the competition. A total of $125,000 are at stake this year out of which $20,000 comes from Google themselves, for those who can crack the Google Chrome browser.
The order in which researchers will tackle a target is assigned by a random drawing, and the contest is winner-take-all: Only the first to hack a browser or Smartphone walks off with the money.
And that has Charlie Miller, an analyst for the Baltimore-based consulting firm Independent Security Evaluators (ISE), -- and the only researcher to have won at Pwn2Own three years running.
As per Pwn2Own rules, TippingPoint's Zero Day Initiative (ZDI) bug bounty program acquires the rights to the winning vulnerabilities and exploits, and swears the researcher to secrecy. ZDI then reports the bugs to the corresponding vendor, and gives that vendor six months to patch the problem before releasing any information to the public.Aaron Portnoy, manager of TippingPoint's security research team and the organizer of Pwn2Own for each of its five years, won't distribute cash prizes for all successful hacks this year -- a practice it did in 2008, when it gave $5,000 for each zero-day exploit-- it will pay for bugs that researchers don't get a chance to use.
"We are still offering money through the normal [ZDI] program for any vulnerabilities the contestants didn't get a chance to use," said Portnoy. "In fact, we are likely able to offer a higher amount of [ZDI] reward points if the submitted information is legitimate and exploitation is demonstrated." ZDI does not disclose its bug bounty fee schedule, but awards “reward points"-- akin to frequent flier miles -- that contributors can cash in for one-time payments.
Pwn2Own is scheduled to run March 9-11 at CanSecWest a security conference held each year in Vancouver, British Columbia.