Pwn2Own Berlin: Overall victory for Singapore, over a million total prize money

The first German edition of the “Pwn2Own” exploit competition has come to an end and brought its participants over one million US dollars in prize money. The winner of the competition and newly crowned “Master of Pwn” was the team from “STAR Labs” in Singapore. The only German participant, Manfred Paul, had a Firefox exploit in his luggage.

The three-day exploit competition took place alongside “OffensiveCon”, a specialist conference for exploit authors and other experts in offensive IT security, and attracted participants from all over the world. They brought plenty of unpublished security vulnerabilities with them: A total of 28 different “zero days” were purchased by the organizing Zero Day Initiative (ZDI) of the security company Trend Micro. After an analysis by its experts, ZDI passes the gaps on to the manufacturers, who also had their employees on site as observers.

Two Asian teams came out on top of the field of participants: STAR Labs from Singapore won the overall prize of 320,000 dollars, while the security team from the Vietnamese telephone company Viettel took second place, followed by two French teams and the security researchers from Wiz in third to fifth place.

German participant starts calc.exe

Manfred Paul was the only German participant. He “popped calc”, as it is called in Pwn2Own jargon, i.e., called up the Windows calculator from Firefox using a vulnerability. This earned the former winner of the “Master of Pwn” title a prize of 50,000 US dollars. The prize money for successful participants is also the purchase price for the corresponding vulnerability at the ZDI.

A quarter of the 28 vulnerabilities used at Pwn2Own concerned AI products, including Nvidia's Triton inference server. But Broadcom's virtualizers VMware, Virtualbox, Docker and, of course, Windows were also popular targets for exploit professionals.

The Pwn2Own event has existed since 2007 and its name – “pwn to own” loosely translates as “take over to own” – goes back to an initiative at the CanSecWest security conference, where participants could win a MacBook along with a 10,000 US dollar exploit prize if they successfully took over (“pwned”) it with a security vulnerability. Even today, the laptops on which successful participants carried out their exploit attempts are still part of their prize money, but considering the sometimes six-figure prize money, they are more of a minor matter.

High-profile security vulnerabilities are repeatedly published at Pwn2Own, for example in the operating system of NAS manufacturer Synology in Ireland last November. In January 2025, hackers played Doom on a car infotainment system (because it was only a video).

(cku)