Last week, Pwn2Own Vancouver 2022 participants earned a total of more than $1.15 million. According to the Zero Day Initiative (ZDI), which organizes the event, awards were paid for 25 unique zero-day vulnerabilities that were used to attack Tesla Model 3, Windows 11, Ubuntu, Microsoft Teams, Safari, Firefox and Oracle VirtualBox.
The participants earned most of the money on the first day of the event by demonstrating exploits totaling $800,000, including three chains of exploits for Microsoft Teams, for each.of which $150,000 was due. The Synacktiv team received $75,000 for hacking the Tesla Model 3 infotainment system, but the exploit exploited an already known sandbox escape vulnerability. The second hacking attempt was unsuccessful – the researchers failed to demonstrate their exploit for Tesla, but ZDI still decided to report a possible exploit to the automaker.
Only one specialist managed to protect the Firefox browser – Manfred Paul, the exploit brought him $ 100,000. Paul demonstrated the exploit on May 18, and on May 20 Mozilla announced an update to Firefox, which should eliminate the vulnerabilities disclosed on Pwn2Own. The specialist also earned $50,000 for hacking Safari.
Pwn2Own participants demonstrated six exploits for Windows 11 privilege escalation, each of which cost $40,000. Four exploits for Ubuntu and one for VirtualBox brought hackers the same amount of money.
This is the second Pwn2Own in 2022. In April’s Pwn2Own Miami 2022, dedicated to industrial control systems, participants earned about $400,000 for their exploits.