updated 09:25 am EST, Tue January 24, 2012
Pwn2Own will not allow pre-made exploits
Tipping Point's Pwn2Own security contest is changing its methodology in a way that could break from "sensationalist" headlines, the company's security team lead Aaron Portnoy explained. When it takes place at CanSecWest in March, the hacking competition as explained to PC Advisor would partly switch to an on-the-spot contest where teams didn't have to have ready-made hack by the time they got to the show. It would become a form of "spectator sport" and reward teams based on the speed it takes at Pwn2Own itself, scoring based on the frequency of hacks each day.
Points would vary based on the day, with 10 points for any hack managed on the first day, nine on the second, and eight on the third. Bringing a zero-day (previously undiscovered) hack will still get someone 32 points, but it's now possible for a team to counter this simply through the volume of exploits they discover.
Tipping Pint is keeping up and escalating the reward for hacks. The top award will give the winner $60,000, much higher than the $15,000 of 2011. Second and third places will get $30,000 and $15,000, respectively. Google is also confident enough in Chrome's sandboxing, which prevents malicious code from escaping to the operating system level, that it's continuing to offer $20,000 on its own to anyone who can successfully crack its browser, no matter how many exploits. Chrome is so far the only browser known to have never been broken at Pwn2Own.
Apple has been a frequent target of contest winners like Charlie Miller. Some of this has stemmed from Apple's less aggressive pursuit of security updates, but also through prizes. Earlier users saw the successful zero-day hack win the very notebook that had been targeted.