Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Three-time Pwn2Own winner knocks hacking contest rules

Gregg Keizer | Feb. 28, 2011
Miller takes contest to task, says it encourages researchers to 'weaponize' exploits that may not be taken off the table

More important, said Miller, is that he and others have created reliable exploits for unpatched bugs. In security speak, "weaponizing" an exploit means the attack code is more than a theoretical proof-of-concept, but actually works.

"It's almost dangerous to encourage researchers to weaponize an exploit" that then isn't taken off the table," Miller said.

Aaron Portnoy, manager of TippingPoint's security research team and the organizer of Pwn2Own for each of its five years, countered Miller's complaint.

"I have to wholeheartedly disagree regarding researchers developing weaponized exploits," said Portnoy in an e-mail reply to questions. "Those who compete in Pwn2Own usually have a moral reason for doing so. I think many are aware of the less legitimate outlets who pay more for such research [but] they prefer to deal with an entity that discloses the information to the affected vendor who ultimately fixes the vulnerability."

Although Portnoy's company won't distribute cash prizes for all successful hacks this year -- a practice it did in 2008, when it gave $5,000 for each zero-day exploit -- it will pay for bugs that researchers don't get a chance to use.

"We are still offering money through the normal [ZDI] program for any vulnerabilities the contestants didn't get a chance to use," said Portnoy. "In fact, we are likely able to offer a higher amount of [ZDI] reward points if the submitted information is legitimate and exploitation is demonstrated."

ZDI does not disclose its bug bounty fee schedule, but awards "reward points" -- akin to frequent flier miles -- that contributors can cash in for one-time payments.

For his part, Miller said he was thinking of publicly releasing the vulnerabilities and exploits he had for Pwn2Own if he didn't win at the contest this year.

"Maybe I'll just drop them all for free, to show them how pissed off I am," Miller said Friday.

Portnoy called Miller's comment "discouraging," but pointed out that there was more to Pwn2Own than the prize money, a factor he thought would prevent researchers from releasing unused vulnerabilities and exploits into the wild.

"The researchers who compete in Pwn2Own are doing so not merely for the money, but for the fame associated with the skills they demonstrate," Portnoy argued. "I can't imagine that irresponsible disclosure of vulnerability information with absolutely no vendor notification will attract positive notoriety."

Pwn2Own is scheduled to run March 9-11 at CanSecWest, a security conference held each year in Vancouver, British Columbia.



Previous Page  1  2 

Sign up for Computerworld eNewsletters.