The Pwnie Awards recognize both excellence and incompetence in the field of
information security[citation needed]. Winners are selected by a committee of security industry professionals from nominations collected from the information security community.[1] Nominees are announced yearly at
Summercon, and the awards themselves are presented at the
Black Hat Security Conference.[2]
Origins
The name Pwnie Award is based on the word "
pwn", which is hacker slang meaning to "compromise" or "control" based on the previous usage of the word "
own" (and it is pronounced similarly). The name "The Pwnie Awards," pronounced as "Pony,"[2] is meant to sound like the
Tony Awards, an awards ceremony for Broadway theater in New York City.
History
The Pwnie Awards were founded in 2007 by
Alexander Sotirov and
Dino Dai Zovi[1] following discussions regarding Dino's discovery of a cross-platform QuickTime vulnerability (
CVE-
2007-2175) and Alexander's discovery of an ANI file processing vulnerability (
CVE-
2007-0038) in Internet Explorer.
Lamest Vendor Response: Google's "TAG" response team for "unilaterally shutting down a counterterrorism operation." [3][4][5]
Epic Achievement: Yuki Chen’s Windows Server-Side RCE Bugs
Most Epic Fail: HackerOne Employee Caught Stealing Vulnerability Reports for Personal Gains
Best Desktop Bug: Pietro Borrello, Andreas Kogler, Martin Schwarzl, Moritz Lipp, Daniel Gruss, Michael Schwarz for Architecturally Leaking Data from the Microarchitecture
Most Innovative Research: Pietro Borrello, Martin Schwarzl, Moritz Lipp, Daniel Gruss, Michael Schwarz for Custom Processing Unit: Tracing and Patching Intel Atom Microcode
Best Cryptographic Attack: Hertzbleed: Turning Power Side-Channel Attacks Into Remote Timing Attacks on x86
Best Remote Code Execution Bug: KunlunLab for Windows RPC Runtime Remote Code Execution (CVE-2022-26809)
Best Privilege Escalation Bug: Qidan He of Dawnslab, for Mystique in the House: The Droid Vulnerability Chain That Owns All Your Userspace
Best Mobile Bug: FORCEDENTRY
Most Under-Hyped Research: Yannay Livneh for Spoofing IP with IPIP
2021
Lamest Vendor Response: Cellebrite, for their response to
Moxie, the creator of Signal, reverse-engineering their UFED and accompanying software and reporting a discovered exploit.[6][7]
Best Privilege Escalation Bug: Baron Samedit of
Qualys, for the discovery of a 10-year-old exploit in
sudo.
Best Song: The Ransomware Song by Forrest Brazeal[8]
Best Server-Side Bug: Orange Tsai, for his Microsoft Exchange Server
ProxyLogon attack surface discoveries.[9]
Best Cryptographic Attack: The NSA for its disclosure of a bug in the verification of signatures in Windows which breaks the certificate trust chain.[10]
Most Innovative Research: Enes Göktaş, Kaveh Razavi, Georgios Portokalidis, Herbert Bos, and Cristiano Giuffrida at
VUSec for their research on the "BlindSide" Attack.[11]
Most Epic Fail: Microsoft; for the implementation of
Elliptic-curve signatures which allowed attackers to generate private pairs for public keys of any signer, allowing HTTPS and signed binary spoofing. (CVE-2020-0601)
Best Song: Powertrace by Rebekka Aigner, Daniel Gruss, Manuel Weber, Moritz Lipp, Patrick Radkohl, Andreas Kogler, Maria Eichlseder, ElTonno, tunefish, Yuki and Kater
Lamest Vendor Response: Daniel J. Bernstein (CVE-2005-1513)
2019
Best Server-Side Bug: Orange Tsai and Meh Chang, for their SSL VPN research.[16]
Most Innovative Research: Vectorized Emulation[17] Brandon Falk
Best Cryptographic Attack: \m/ Dr4g0nbl00d \m/ [18]Mathy Vanhoef, Eyal Ronen
Lamest Vendor Response: Bitfi
Most Over-hyped Bug: Allegations of
Supermicro hardware backdoors, Bloomberg
Most Under-hyped Bug:
Thrangrycat, (Jatin Kataria, Red Balloon Security)
2018
Most Innovative Research:
Spectre[19]/
Meltdown[20] (Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom)
Best Privilege Escalation Bug:
Spectre[19]/
Meltdown[20] (Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom)
Best Cryptographic Attack: ROBOT - Return Of Bleichenbacher’s Oracle Threat [21]Hanno Böck, Juraj Somorovsky, Craig Young
Lamest Vendor Response: Bitfi - a late entry that had received thousands of nominations after multiple hackers cracked Bitfi's device following
John McAfee's praising of the device for its security. Even though hackers cracked the device, by design the device does not contain private keys therefore breaking into the device would not result in a successful extraction of funds. Bitfi was eager to pay bounties and followed all the rules as stipulated. An announcement was made on September 8, 2018 with details on which bounty conditions were met and which payments would be made.[22]
Most Innovative Research: ASLR on the line [23]Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Bos, Cristiano Giuffrida
Best Privilege Escalation Bug: DRAMMER [24]Victor van der Veen, Yanick Fratantonio, Martina Lindorfer, Daniel Gruss, Clementine Maurice, Giovanni Vigna, Herbert Bos, Kaveh Razavi, Cristiano Giuffrida
Best Cryptographic Attack: The first collision for full SHA-
1Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini, Yarik Markov
Lamest Vendor Response:
Lennart Poettering - for mishandling security vulnerabilities most spectacularly for multiple critical
Systemd bugs[25]
Best Song: Hello (From the Other Side)[26] - Manuel Weber, Michael Schwarz, Daniel Gruss, Moritz Lipp, Rebekka Aigner
2016
Most Innovative Research: Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector [27]Erik Bosman, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida
Most Innovative Research: Identifying and Exploiting
Windows Kernel Race Conditions via Memory Access Patterns[34]Mateusz "j00ru" Jurczyk, Gynvael Coldwind
Best Song: "All the Things" Dual Core
Most Epic Fail:
Nmap: The Internet Considered Harmful -
DARPA Inference Checking Kludge Scanning Hakin9[35]
The award for best server-side bug went to Sergey Golubchik for his
MySQLauthentication bypass flaw.[36][37] Two awards for best client-side bug were given to Sergey Glazunov and Pinkie Pie for their
Google Chrome flaws presented as part of Google's
Pwnium contest.[36][38]
The award for best
privilege escalation bug went to Mateusz Jurczyk ("j00ru") for a vulnerability in the
Windowskernel that affected all
32-bit versions of Windows.[36][37] The award for most innovative research went to Travis Goodspeed for a way to send
network packets that would inject additional packets.[36][37]
The award for best song went to "Control" by
nerdcore rapper
Dual Core.[36] A new category of award, the "Tweetie Pwnie Award" for having more
Twitter followers than the judges, went to MuscleNerd of the
iPhone Dev Team as a representative of the
iOS jailbreaking community.[36]
The "most epic fail" award was presented by
Metasploit creator
HD Moore to
F5 Networks for their static
rootSSH key issue, and the award was accepted by an employee of F5, unusual because the winner of this category usually does not accept the award at the ceremony.[36][38] Other nominees included
LinkedIn (for its data breach exposing password
hashes) and the
antivirus industry (for failing to detect threats such as
Stuxnet,
Duqu, and
Flame).[37]
The award for "epic 0wnage" went to
Flame for its
MD5collision attack,[38] recognizing it as a sophisticated and serious piece of malware that weakened trust in the
Windows Update system.[37]
2011
Best Server-Side Bug:
ASP.NET Framework Padding Oracle (
CVE-2010-3332) Juliano Rizzo, Thai Duong[2]
Best Server-Side Bug: Windows
IGMP Kernel Vulnerability (
CVE-2007-0069) Alex Wheeler and Ryan Smith
Best Client-Side Bug: Multiple URL protocol handling flaws Nate McFeters, Rob Carter, and Billy Rios
Mass 0wnage: An unbelievable number of
WordPress vulnerabilities
Most Innovative Research: Lest We Remember: Cold Boot Attacks on Encryption Keys (honorable mention was awarded to Rolf Rolles for work on
virtualizationobfuscators) J. Alex Halderman, Seth Schoen,
Nadia Heninger, William Clarkson, William Paul, Joseph Calandrino, Ariel Feldman, Rick Astley, Jacob Appelbaum, Edward Felten