Pwn2Own Vancouver 2019: Tesla, VMware, Microsoft, and More


Starting in 2007, Pwn2Own has evolved from a small demonstration with prizes averaging around $10,000 per exploit, to one of the most well-known security contests in the industry, with millions of dollars of cash and prizes made available to contestants over the years. The contest serves as more than just an annual check-in on the state of browser and OS security. It also guides researchers as we add new categories and increase cash awards. Over the years, new veins of security research were mined after being a target of Pwn2Own. We saw that with exploit techniques like sandbox escapes, mitigation bypasses, and guest-to-host OS escalations. This year, on March 20-22 at the CanSecWest conference, we hope to see that research expand into our newest category, Automotive with the addition of the Tesla Model 3, which has quickly become the best-selling car in its class in the United States.  

That’s right. We’ll have a Tesla Model 3 on-site as a target for our automotive category, which has six different focal points for in-scope research (details below). Tesla essentially pioneered the concept of the connected car with their Model S sedan, and in partnership with Tesla, we hope to encourage even more security research into connected vehicles as the category continues to expand. Prizes range from $35,000 to $300,000 depending on a variety of factors including the exploit used. And the first successful researcher can also drive off in their own brand new Model 3 after the competition ends. See the rules section below for specific target categories and awards.

Cars aren’t the only thing providing a big payout this year. Microsoft returns as a partner for 2019 and leads the virtualization category with a $250,000 award for a successful Hyper-V Client guest-to-host escalation. With that much cash, you can get your own Model 3 – or a few in multiple colors. VMware also returns as a Pwn2Own sponsor for 2019, and this year, we’ll have VMware ESXi alongside VMware Workstation as a target with awards of $150,000 and $70,000 respectively. Oracle VirtualBox rounds out this category with a prize of $35,000. Cloud computing relies on virtualization, as do many other critical computing functions. We’ve seen guest-to-host OS escalations in the past two Pwn2Own contests. Here’s hoping we see more this year.

Web browsers are a traditional target for Pwn2Own Vancouver, and that remains the case for 2019. With the recent announcement of Microsoft moving to a Chromium-based engine, exploits on Google Chrome definitely earn a premium over Edge, Safari, and Firefox. A browser exploit ranges from $40,000 for Firefox up to $80,000 for Chrome. We’re also offering $80,000 for anyone who can successfully exploit Edge with a Windows Defender Application Guard (WDAG) specific escape from the WDAG container to the host OS – something we’ve never seen at Pwn2Own before. Contestants can add on another $70,000 if they escape the virtual machine and execute code on the host OS. Some say the browser is the gateway to the cloud. It’s certainly the gateway to online shopping. Either way, bugs in these products have a broad impact.

Enterprise applications also return as targets with Adobe Reader and various Office components, including Outlook, on the docket. Prizes in this category run from $40,000 for a Reader exploit, $60,000 for a successful Office entry, and $100,000 for Outlook. There’s a better than average chance that you use one (or more) of these applications in your average work day, making this category relevant to nearly everyone with a computer.

The Server Side category is much smaller this year with Microsoft Windows RDP as the only target. Most of our server side targets moved to our Targeted Incentive Program, so they no longer need to be included in Pwn2Own. Still, a successful RDP exploit will garner $150,000 for the contestant.

Finally, no Pwn2Own would be complete without crowning the Master of Pwn. Since the order of the contest is decided by a random draw, contestants with an unlucky draw could present great research, but receive less money since subsequent rounds go down in value. However, the points awarded for each successful entry do not go down. Someone could have a bad draw and still accumulate the most points. The person or team with the most points at the end of the contest will be crowned Master of Pwn, receive 65,000 ZDI reward points (instant Platinum status), a killer trophy, and a pretty snazzy jacket to boot.