The first day of Pwn2Own Vancouver was a success. Participants won a combined $800,000 for hacking widely used software, including Microsoft Teams, Oracle Virtualbox and Ubuntu Desktop.

Once or twice a year, Zero Day Initiative organizes a hacking contest to promote and reward security research. Prior to the contest, Zero Day Initiative publishes a list of popular software. Everybody is welcome to try and find zero-day vulnerabilities in the software. If a zero-day vulnerability is found, the hacker can register to demonstrate the exploit on a live stage. Winners are awarded tens to hundreds of thousands of euros in prize money.

The Vancouver edition of Pwn2Own is currently taking place. The first day yielded more than 10 vulnerabilities in commonly used software.

Winners

Hector Peralta (aka p3rr0) won $150,000 for demonstrating an improper configuration in Microsoft Teams. An improper configuration can mean anything, but the details of found vulnerabilities aren’t disclosed until the vulnerability has been patched.

On behalf of security company STAR Labs, three researchers demonstrated how Oracle Virtualbox can be abused for privilege escalation. The team won $40,000 dollars. Privilege escalation provides access to systems and files that are actually intended for a higher user role, like an administrator.

The team from security company Sea Security demonstrated an Out-of-Bounds Write (OOBW) and Use-After-Free (UAF) in Ubuntu Desktop. Both OOBW and UAF make it possible to hack systems, corrupt data and crash apps. This team was rewarded with $40,000 as well.

The pressure

Other participants found vulnerabilities in Firefox, Windows 11 and Safari. In total, Zero Day Initiative awarded 800,000 dollars. More than 10 other demonstrations will take place in the coming days. This does not guarantee that 10 prizes will be paid out. Participants do not always succeed in demonstrating their vulnerability. The pressure mounts when tens of thousands of dollars are at stake.

In April 2022 the Miami edition of Pwn2Own took place. Dutchmen Thijs Alkemade and Daan Keuper won a prize of $90,000 for finding vulnerabilities in Iconics, Inductive Automation and Aveva. The same duo walked away with $200,000 in 2021 after finding multiple vulnerabilities in Zoom.