Gobal cybersecurity leader Trend Micro Incorporated announced the winners of its spring Pwn2Own competition held in Vancouver and sponsored by the Zero Day Initiative. Participants discovered 27 unique zero-day vulnerabilities, helping vendors enhance the security of their products and earning the contests a total of $1,035,000 as well as a Tesla Model 3.
“Connected technologies drive our vehicles and power the hybrid workplace, so the more novel vulnerabilities we can find in them, the better,” said Brian Gorenc, vice president of threat research at Trend Micro. “Once again Pwn2Own has shown that, as much as we pay out in prize money, the real-world benefits to companies and their customers are worth much more. Congratulations to the team at Synacktiv for their months of hard work leading up to this event.”
Researchers from Synacktiv achieved critical successes against Tesla, including a historic attempt that used a heap overflow and an OOB write to exploit Tesla – Infotainment Unconfined Root and earned them the first-ever Tier 2 award at a Pwn2Own competition. The team also executed a successful TOCTOU exploit against Tesla – Gateway.
The overall Master of Pwn winner was Synacktiv with 53 points, winning $530,000 and a Tesla Model 3 as well as a $25,000 winner’s bonus. Synacktiv was represented by Eloi Benoist-Vanderbeken, David Berard, Vincent Dehors, Tanguy Dubroca, Thomas Bouzerar, and Thomas Imbert.
The ZDI does not encourage or promote the violation of licenses or other restrictions applicable to any vendor’s product. However, we are encouraging security researchers and other individuals who become aware of vulnerabilities to participate in our program for their own financial benefit and for the benefit of the vendor, security and end user communities at large.
In order to maintain the secrecy of a researcher’s vulnerability discovery until a product vendor can develop a patch, Trend Micro customers are only provided a generic description of the filter provided but are not informed of the vulnerability. Once details are made public in coordination with the product vendor, Trend Micro’s Digital Vaccine® service provides an updated description so that customers can identify the appropriate filters that were protecting them. In other words, Trend Micro will be protected from the vulnerability in advance, but they will not be able to tell from the description what the vulnerability is.
Trend Micro follows its Vulnerability Disclosure Policy when reporting security vulnerabilities to product vendors. Obviously, responsible disclosure only works well when an affected product vendor makes a concerted effort to evaluate and address the reported flaw. Trend Micro will make every effort to work with vendors to ensure they understand the technical details and severity of a reported security flaw. If a product vendor is unable to, or chooses not to, patch a particular security flaw, Trend Micro will offer to work with that vendor to publicly disclose the flaw with some effective workarounds. In no case will an acquired vulnerability be “kept quiet” because a product vendor does not wish to address it.