For the past two days, security researchers have descended on Vancouver for a Google-sponsored contest called Pwn2Own, which offers top-dollar prizes for anyone who can publicly exploit bugs in popular browsers and other widely used software like Adobe Flash.
More than half a million dollars for 21 bugs
This year was a particularly lucrative one, as a researcher named JungHoon Lee (also known as lokihardt) came away from the contest with a record $225,000 for three bugs, affecting Internet Explorer, Chrome, and Safari. The Chrome bug was the most lucrative, earning $110,000 in total, bringing in extra money because it involved a beta version of Chrome and because Lee was able to exploit the bug into system access. The Chrome bug was revealed in a single two-minute presentation, which, as one observer pointed out, put Lee's earnings at $916 per second.
At the end of the contest, all vulnerabilities are privately disclosed to vendors in the "Chamber of Disclosures." It's a particularly high-stakes version of a bug bounty program, a system that has become increasingly popular as companies look for legal ways to discover weaknesses before attackers do. This year's contest found 21 bugs in total — including five bugs in Windows, four bugs in Internet Explorer, and three bugs in Firefox — and paid a total of $557,500 to participating researchers.