Target List
Targets
-
Mobile Browsers
- Mobile Safari (Apple iPhone XR)
- Google Chrome (Google Pixel 3)
- Samsung Browser (Samsung Galaxy S10)
-
Web Browsers
- Google Chrome (Windows 10)
- Microsoft Edge (Windows 10)
- Mozilla Firefox (Windows 10)
- Apple Safari (MacOS)
- Google Chrome (MacOS)
- Mozilla Firefox (MacOS)
-
Operating Systems
- Apple MacOS
- Windows 10
- Windows Server
-
Enterprise
- Microsoft Office
- 7Zip
- WinRar
- Adobe Reader
-
Virtualization
- Oracle VirtualBox
- VMWare Workstation
-
IoT
- Apple Watch Series 4
- Amazon Echo
- Google Home
- Samsung Galaxy Watch
An attempt for each category must be launched from the target under test. For example, launching the target under test from the command line is not allowed. Except the IoT category, all the targets will be run inside VMs.
The specification for the VM is 4GB RAM, with 1 CPU with 4 cores. The host will be running the latest version of Windows for Windows entry, Mac OS X for the Apple OS X entry.
Target Scope
Mobile Browsers
For mobile browser category, contestants are required to achieve code execution on the latest version of default web browser installed in target mobile device and do one of the following:
- Obtain sensitive information outside of sandbox
- Install a rogue application on target device reference: https://blog.trendmicro.com/presenting-mobile-pwn2own-2016/
Web Browsers
For web browser category, contestants are required to achieve code execution on the latest version of target web browser and execute an arbitrary program in elevated privilege by either escaping sandbox or exploiting kernel vulnerability.
Operating Systems
For operating system category, local privilege escalation (LPE) must be achieved in the target operating system.
- (Windows 10) Medium integrity -> NT SYSTEM
- (MacOS) root privileges
Enterprise Category
For enterprise application category, contestants must achieve code execution on the target application and launch an arbitrary program.
Payout Table
Web Browers
$450,000
Submission Process
This Contest is open to all registrants in the HITB+CyberWeek, subject to the eligibility requirements herein. Contestants must be on-site at the conference to demonstrate their entry. No purchase is required to participate in the Contest.
The contestant can register for the contest and indicate in which categories the contestant wishes to participate. Registration for pwners will open in August 2019.
Where appropriate, the main submission platform will be v1 Bug Bounty Platform, but for some targets a vendor provided platform will be used.
The contestant can register multiple entries for a given category but each entry must be for a different target in that category. The contestant can only register once per target. Every entry must be a separate and unique exploit chain.
Specific details about the targets (software, versions, configurations, etc.) will be communicated to contestants during the registration process. If the contestant is representing a company, the contestant must identify which company they are representing during the registration process. Each company is limited to one registration.
HITB reserves the right to deny registration to entries that do not comply with the rules during the registration process. Contest registration closes at 5:00 p.m. Pacific Time on <September 30th 2019>.