HITB⁺ Driven2Pwn

Bug bounty bazaar and contest with US$1.5 million to be won!

Be Amongst The Greatest

We're inviting the best pwnstars, bounty hunters and contest winners from around the world to exploit a variety of targets for a chance to win US$1.5 million in cash!

The Best Bug Hunters

One Event. Many Bounties.

We're creating a destination for bug hunters by gathering various industry partners to host their own bounty programs alongside ours with a one-stop bounty extravaganza for bug hunters!!

One Bounty Bazaar

US $ 1

is waiting to be won... what are YOU waiting for?

What?

HITB Driven2Pwn is the UAE’s first bug bounty buffet event – a one stop collaborative bounty organized by Hack In The Box, VXRL and Vulnerability Labs.

Like a traditional bug bounty contest, we have a variety of targets with a range of cash pots to be won – so get ready to lay down your best pwnfu! You’re free to compete either as a team or as an individual hunter and there are no limits to the number of categories or bounties you can enter.

Why?

The aim of this 3-day contest is to create THE destination for the best bug bounty hunters to come and win themselves some good ol’ cash while responsibly disclosing vulnerabilities. In addition, we plan to open source all findings *

We’re also creating a bonus category for UAE bug hunters plus a special 2-day bug hunting training course specifically crafted for undergrads and post-grads students. This training will be free on a first come, first served basis.

* Subject to an agreed time window during which patches can be issued before publicly disclosing the vulnerability.

When & Where?

Taking place alongside the inaugural HITB+CyberWeek event, Driven2Pwn will happen October 15th till the 17th (Tuesday, Wednesday and Thursday) at the Emirates Palace in Abu Dhabi.

A full schedule including time-to-pwn slots will be announced in July.

Killing Classes of Bugs. One Bounty at a Time.

We all know that exploits are cool and such. The basis of an exploit is the underlying bug, detected by either reverse engineering or fuzzing. The process from a crash to exploit is a long one, which requires overcoming exploit mitigations, sandboxes, privileges, signatures, etc. The focus of current bug bounties is exploits only. We want to change the focus.

Disclosure Process

90 + 90

Bug confirmed by judging panel on-site at CyberWeek & initial findings + report submitted to vendor.

Bug finder gets paid. 

+ 90 to 120 days (depending on severity)

Patch from vendor released along with initial advisory

+ 90 days for patch to be distributed

Full details of exploit including submitted exploit code is released as open source

Much Targets. Such Pwn.

Mobile (iOS)

Latest available build

IoT Devices

e.g. Security Cameras / Routers / Smart Devices / Locks / Drones / Robots

Mobile (Android)

Latest available build

Apple Mac OSX

Latest available build

Windows 10 and Server / Microsoft Office

Latest available build + Outlook / Word / Excel / Powerpoint

Web Browsers

Latest build. eg. Firefox / Chrome / Edge / Safari

Enterprise

7Zip / WinRar / Adobe Reader

Fuzzers / Hot Fuzz

We shall accept reproducible crashes that are exploitable as valid submissions. The submitter shall also submit the fuzzer or corpus they used to generate this crash. HITB will validate whether this is (a) an exploitable crash (b) the fuzzer is sound and then pass this on for acquisition to the vendor.

We want to reward individuals for their time in bug discovery, not just exploit writing. Truly eliminating bug classes.

Rules & Schedule

Detailed rules and schedule with target list and available time slots will be announced in July and will take into consideration the industry accepted Pwn2Own approach which is already familiar to the bug hunting and bounty community.

Note: This is a coordinated disclosure competition with strong emphasis against resale of findings from the contest

You Say You Know PwnFu? Show Us!

knights of the pwn table

(Judges)

Comprised of hand-selected, highly respected researchers and subject matter experts, judges have been chosen based on their past industry achievements and breakthroughs in the areas of vulnerability discovery and exploitation.

Their roles include:

  • evaluating and selecting participants who have registered to compete.
  • witnessing demos with working exploits and analyzing bug submissions during the game.
  • ensuring fairness of competition and to provide observations and recommendations to the core organizers.

SEUNGJIN LEE (BEIST)

Head Judge

LINE GrayLab Lead

SAUMIL SHAH

Senior Judge

Founder, Net-Square

KATIE MOUSSOURIS

Senior Judge

Founder & CEO, Luta Security

richard johnson

Senior Judge

Director of Security Research, Oracle Cloud

dominic white

Senior Judge

Chief Technology  Officer, SensePost

(MORE JUDGES TO BE ANNOUNCED IN JULY)

ORGANIZERS

A rag-tag team of researchers that play CTFs and hack pwnables for fun and knowledge.

anthony lai (darkfloyd)

Senior Judge & Crew Leader

(VXRL/VXCON)

Chris Chan (dragon)

Windows, Enterprise, IOT

(VXCON)

Kelvin wong (Captain)

(IoT / Android)

(VXCON)

Boris so (mr.pilot)

Windows, Enterprise, iOS/Android

(VXCON)

ken wong
(Ken)

Crew (Browser/Windows)

(VXCON)

J. min
(J)

Crew (Windows/Android)

(VXCON)

alan ho
(Hackson)

Crew (Android/iOS)

(VXRL/VXCON)

PLATFORM SUPPORT

BENJAMIN KUNZ

Bug Submission Platform Support

(V1 Bug Bounty Platform)

Robert Heinrich Rauer

Platform Management & Development

(V1 Bug Bounty Platform)

Marco Salvatore Onorati

Senior Developer

(V1 Bug Bounty Platform)

Organizer/ Event Support

HITB are organizers of the HITB Security Conference or HITBSecConf - a community-backed series of security conferences held annually in various locations around the world. The main aim of HITBSecConf is to enable the dissemination, discussion and sharing of deep knowledge network security information with a focus on groundbreaking attack and defense methods.

Co-Organizer

VXRL (Valkyrie-X Security Research Group)(www.vxrl.hk/www.vxcon.hk) is an offensive security corporation, which organises VXCON for 9 years. VXRL provides security assessment, red team testing, training and malware analysis to corporate customers and non-profit making organizations since 2010. VXRL has helped corporations including Hong Kong Jockey Club, Hong Kong Exchange, ING Insurance (Asia), Sumitomo Mitsui Banking Corporation, NTT Security (Hong Kong), Manulife Insurance (Asia), Macau SJM Casino and Macau CEM Electricity Corporation.

Bug Submission Platform

The V1 platform coordinates vulnerability research and assists to start own bug bounty programs. Vulnerability Lab owns the first independent unique bug bounty platform since 2005 as infrastructure for security researchers, companies & developers. The time has come to manage your bug bounties and acknowledgements for the enterprise to become part of a new european union prevention-system.