The Pwn2Own competition has taken place each year at the CanSecWest event since 2007, with contestants challenged to exploit specific software – especially web browsers and other web-related software – and computer/smartphone systems. Winners receive the device/computer that was successfully exploited and a cash prize.
For each successful exploit, the contest's sponsor, TippingPoint, provides a report to the applicable vendor, detailing the vulnerability and how it was exploited. The details are not released to the public until the vendor has corrected the vulnerability.
This year's competition will test the four main browsers – Chrome, Firefox, Internet Explorer and Safari – as well as smartphones running Apple iOS, Google Android, Microsoft Windows 7 Mobile and RIM/BlackBerry OS.
Successful crackers can win up to $20,000, what some experts are calling excessive, and encouraging programmers to crack operating systems where they would not have otherwise done so.
According to MacWorld, Charlie Miller of Baltimore-based ISE, who has won Pwn2Own three times on the trot, is upset at the scale of the contest this year.
"I'm disappointed in how many people have signed up [for Pwn2Own] and how few will win prizes", he told MacWorld, questioning what happens to the other exploits that don't win.
MacWorld notes that Miller's point is that with so many contestants – TippingPoint has said this year's list is the largest ever – some researchers will go home empty-handed.
"But the vulnerabilities they find and the exploits they create will not be taken off the market", says the newswire.
"It's almost dangerous to encourage researchers to weaponise an exploit that then isn't taken off the table," Miller told Gregg Keizer.
Aaron Portnoy, manager of TippingPoint's security research team and Pwn2Own's organiser, is defensive on Miller's comments, saying that he wholeheartedly disagrees on the subject of researchers developing weaponised exploits.
"Those who compete in Pwn2Own usually have a moral reason for doing so. I think many are aware of the less legitimate outlets who pay more for such research [but] they prefer to deal with an entity that discloses the information to the affected vendor who ultimately fixes the vulnerability", he told MacWorld.