The Best Bug Hunters
HITB Driven2Pwn is the UAE’s first bug bounty buffet event – a one stop collaborative bounty organized by Hack In The Box, VXRL and Vulnerability Labs.
Like a traditional bug bounty contest, we have a variety of targets with a range of cash pots to be won – so get ready to lay down your best pwnfu! You’re free to compete either as a team or as an individual hunter and there are no limits to the number of categories or bounties you can enter.
The aim of this 3-day contest is to create THE destination for the best bug bounty hunters to come and win themselves some good ol’ cash while responsibly disclosing vulnerabilities. In addition, we plan to open source all findings *
- Mobile Browsers
- Mobile Safari (Apple iPhone XR)
- Google Chrome (Google Pixel 3)
- Samsung Browser (Samsung Galaxy S10)
- Web Browsers
- Google Chrome (Windows 10)
- Microsoft Edge (Windows 10)
- Mozilla Firefox (Windows 10)
- Apple Safari (MacOS)
- Google Chrome (MacOS)
- Mozilla Firefox (MacOS)
- Operating Systems
- Apple MacOS
- Windows 10
- Windows Server
- Microsoft Office
- Adobe Reader
- Apple Watch Series 4
- Amazon Echo
- Google Home
- Samsung Galaxy Watch
An attempt for each category must be launched from the target under test. For example, launching the target under test from the command line is not allowed. Except the IoT category, all the targets will be run inside VMs.
The specification for the VM is 4GB RAM, with 1 CPU with 4 cores. The host will be running the latest version of Windows for Windows entry, Mac OS X for the Apple OS X entry.
For mobile browser category, contestants are required to achieve code execution on the latest version of default web browser installed in target mobile device and do one of the following:
- Obtain sensitive information outside of sandbox
- Install a rogue application on target device reference: https://blog.trendmicro.com/presenting-mobile-pwn2own-2016/
For web browser category, contestants are required to achieve code execution on the latest version of target web browser and execute an arbitrary program in elevated privilege by either escaping sandbox or exploiting kernel vulnerability.
For operating system category, local privilege escalation (LPE) must be achieved in the target operating system.
- (Windows 10) Medium integrity -> NT SYSTEM
- (MacOS) root privileges
For enterprise application category, contestants must achieve code execution on the target application and launch an arbitrary program.
Apple iPhone $250,000
Google Pixel 3 $100,000
Samsung Galaxy S10 $100,000
Google Chrome $150,000
Apple Safari $100,000
Microsoft Edge $100,000
Mozilla Firefox $100,000
Windows 10 LPE $50,000
Mac OS X LPE $50,000
Microsoft Office $50,000
Mozilla Thunderbird $15,000
Adobe Reader $15,000
Google Home $25,000
Amazon Alexa $25,000
Apple Watch Series 4 $25,000
Samsung Galaxy Watch $25,000
This Contest is open to all registrants in the HITB+CyberWeek, subject to the eligibility requirements herein. Contestants must be on-site at the conference to demonstrate their entry. No purchase is required to participate in the Contest.
The contestant can register for the contest and indicate in which categories the contestant wishes to participate. Registration for pwners will open in August 2019.
Where appropriate, the main submission platform will be v1 Bug Bounty Platform, but for some targets a vendor provided platform will be used.
The contestant can register multiple entries for a given category but each entry must be for a different target in that category. The contestant can only register once per target. Every entry must be a separate and unique exploit chain.
Specific details about the targets (software, versions, configurations, etc.) will be communicated to contestants during the registration process. If the contestant is representing a company, the contestant must identify which company they are representing during the registration process. Each company is limited to one registration.
HITB reserves the right to deny registration to entries that do not comply with the rules during the registration process. Contest registration closes at 5:00 p.m. Pacific Time on <September 30th 2019>