HITB⁺ Driven2Pwn

Bug bounty bazaar and contest with US$1.2 million to be won!

Be Amongst The Greatest

We're inviting the best pwnstars, bounty hunters and contest winners from around the world to exploit a variety of targets for a chance to win US$1.5 million in cash!

The Best Bug Hunters

One Event. Many Bounties.

We're creating a destination for bug hunters by gathering various industry partners to host their own bounty programs alongside ours with a one-stop bounty extravaganza for bug hunters!!

One Bounty Bazaar

US $ 1

is waiting to be won... what are YOU waiting for?

What?

HITB Driven2Pwn is the UAE’s first bug bounty buffet event – a one stop collaborative bounty organized by Hack In The Box, VXRL and Vulnerability Labs.

Like a traditional bug bounty contest, we have a variety of targets with a range of cash pots to be won – so get ready to lay down your best pwnfu! You’re free to compete either as a team or as an individual hunter and there are no limits to the number of categories or bounties you can enter.

Why?

The aim of this 3-day contest is to create THE destination for the best bug bounty hunters to come and win themselves some good ol’ cash while responsibly disclosing vulnerabilities. In addition, we plan to open source all findings *

* Subject to an agreed time window during which patches can be issued before publicly disclosing the vulnerability.

When & Where?

Taking place alongside the inaugural HITB+CyberWeek event, Driven2Pwn will happen October 15th till the 17th (Tuesday, Wednesday and Thursday) at the Emirates Palace in Abu Dhabi.

A full schedule including time-to-pwn slots will be announced in July.

Killing Classes of Bugs. One Bounty at a Time.

We all know that exploits are cool and such. The basis of an exploit is the underlying bug, detected by either reverse engineering or fuzzing. The process from a crash to exploit is a long one, which requires overcoming exploit mitigations, sandboxes, privileges, signatures, etc. The focus of current bug bounties is exploits only. We want to change the focus.

Disclosure Process

90 + 90

Bug confirmed by judging panel on-site at CyberWeek & initial findings + report submitted to vendor.

Bug finder gets paid. 

+ 90 to 120 days (depending on severity)

Patch from vendor released along with initial advisory

+ 90 days for patch to be distributed

Full details of exploit including submitted exploit code is released as open source

Our rules take into consideration the industry accepted Pwn2Own approach which is already familiar to the bug hunting and bounty community.

Note: This is a coordinated disclosure competition with strong emphasis against resale of findings from the contest

Much Targets. Such Pwn.

Mobile (iOS)

Latest available build

IoT Devices

e.g. Security Cameras / Routers / Smart Devices / Locks / Drones / Robots

Mobile (Android)

Latest available build

Apple Mac OSX

Latest available build

Windows 10 and Server / Microsoft Office

Latest available build + Outlook / Word / Excel / Powerpoint

Web Browsers

Latest build. eg. Firefox / Chrome / Edge / Safari

Enterprise

7Zip / WinRar / Adobe Reader

We want to reward individuals for their time in bug discovery, not just exploit writing. Truly eliminating bug classes.

You Say You Know PwnFu? Show Us!

knights of the pwn table

(Judges)

Comprised of hand-selected, highly respected researchers and subject matter experts, judges have been chosen based on their past industry achievements and breakthroughs in the areas of vulnerability discovery and exploitation.

Their roles include:

  • evaluating and selecting participants who have registered to compete.
  • witnessing demos with working exploits and analyzing bug submissions during the game.
  • ensuring fairness of competition and to provide observations and recommendations to the core organizers.

SEUNGJIN LEE (BEIST)

Head Judge

LINE GrayLab Lead

SAUMIL SHAH

Senior Judge

Founder, Net-Square

KATIE MOUSSOURIS

Senior Judge

Founder & CEO, Luta Security

richard johnson

Senior Judge

Director of Security Research, Oracle Cloud

dominic white

Senior Judge

Chief Technology  Officer, SensePost

Chaitanya sharma

Senior Judge

Security Researcher, Apple Inc.

THANH NGUYEN (RED DRAGON)

Judge

Founder, Verichains Lab / VNSECURITY

TARJEI MANDT (Kernelpool)

Judge

Senior Security Researcher, Trenchant

JAMES FORSHAW

Advisor

Project Zero, Google

(MORE JUDGES TO BE ANNOUNCED IN JULY)

ORGANIZERS

A rag-tag team of researchers that play CTFs and hack pwnables for fun and knowledge.

anthony lai (darkfloyd)

Senior Judge & Crew Leader

(VXRL/VXCON)

Chris Chan (dragon)

Windows, Enterprise, IOT

(VXCON)

Kelvin wong (Captain)

(IoT / Android)

(VXCON)

Boris so (mr.pilot)

Windows, Enterprise, iOS/Android

(VXCON)

ken wong
(Ken)

Crew (Browser/Windows)

(VXCON)

J. min
(J)

Crew (Windows/Android)

(VXCON)

alan ho
(Hackson)

Crew (Android/iOS)

(VXRL/VXCON)

PLATFORM SUPPORT

BENJAMIN KUNZ

Bug Submission Platform Support

(V1 Bug Bounty Platform)

Robert Heinrich Rauer

Platform Management & Development

(V1 Bug Bounty Platform)

Marco Salvatore Onorati

Senior Developer

(V1 Bug Bounty Platform)

Organizer/ Event Support

HITB are organizers of the HITB Security Conference or HITBSecConf - a community-backed series of security conferences held annually in various locations around the world. The main aim of HITBSecConf is to enable the dissemination, discussion and sharing of deep knowledge network security information with a focus on groundbreaking attack and defense methods.

Co-Organizer

VXRL (Valkyrie-X Security Research Group)(www.vxrl.hk/www.vxcon.hk) is an offensive security corporation, which organises VXCON for 9 years. VXRL provides security assessment, red team testing, training and malware analysis to corporate customers and non-profit making organizations since 2010. VXRL has helped corporations including Hong Kong Jockey Club, Hong Kong Exchange, ING Insurance (Asia), Sumitomo Mitsui Banking Corporation, NTT Security (Hong Kong), Manulife Insurance (Asia), Macau SJM Casino and Macau CEM Electricity Corporation.

Bug Submission Platform

The V1 platform coordinates vulnerability research and assists to start own bug bounty programs. Vulnerability Lab owns the first independent unique bug bounty platform since 2005 as infrastructure for security researchers, companies & developers. The time has come to manage your bug bounties and acknowledgements for the enterprise to become part of a new european union prevention-system.