TippingPoint’s DVLabs announced yesterday the rules for its 3rd annual Pwn2Own contest, to be held at the CanSecWest Security Conference from March 16th through 20th in Vancouver. The focus this year is on two technologies: Web browsers and mobile devices.
The first hacker to crack a mobile device — an Android, BlackBerry, iPhone, Symbian, or Windows Mobile phone — without accessing it physically will win $10,000 and will get to keep the device, with a paid one-year contract. Subsequent successful mobile device hacks also pay $10,000 but do not include a device or contract.
Hackers also have the option of trying to execute a successful exploit against a Web browser. Potential targets include Chrome, Firefox, and IE8 on a Sony Vaio running Windows 7 or Firefox and Safari installed on a MacBook running Mac OS X. Opera is not included, however, an omission criticized in several blog comments. Browser bugs are worth $5,000 a piece.
Contest participants can try to attack both mobile devices and Web browsers, but cannot win both prizes using only a single exploit. Last year at CanSecWest, a team hacked a MacBook Air in two minutes using a previously unknown vulnerability in Apple’s Safari 3.1 Web browser. They took the MacBook Air home as the prize, along with $10,000 in cash.
TippingPoint’s goal is to use the prize money to purchase whatever zero-day exploits are revealed and to disclose them to the affected companies in a responsible manner.