The Pwnie Awards recognize both excellence and incompetence in the field of

information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...

. Winners are selected by a committee of security industry professionals from nominations collected from the information security community. Nominees are announced yearly at Summercon, and the awards themselves are presented at the Black Hat Security Conference.

Origins

The name Pwnie Award is based on the word "

pwn Leet (or "1337"), also known as eleet or leetspeak, is a system of modified spellings used primarily on the Internet. It often uses character replacements in ways that play on the similarity of their glyphs via reflection or other resemblance. ...

", which is hacker slang meaning to "compromise" or "control" based on the previous usage of the word "

own Ownership is the state or fact of legal possession and control over property, which may be any asset, tangible or intangible. Ownership can involve multiple rights, collectively referred to as title, which may be separated and held by different ...

" (and it is pronounced similarly). The name "The Pwnie Awards," pronounced as "Pony," is meant to sound like the

Tony Awards The Antoinette Perry Award for Excellence in Broadway Theatre, more commonly known as the Tony Award, recognizes excellence in live Broadway theatre. The awards are presented by the American Theatre Wing and The Broadway League at an annual cer ...

, an awards ceremony for Broadway theater in New York City.

History

The Pwnie Awards were founded in 2007 by Alexander Sotirov and Dino Dai Zovi following discussions regarding Dino's discovery of a cross-platform QuickTime vulnerability () and Alexander's discovery of an ANI file processing vulnerability () in Internet Explorer.

Winners

2022

* Lamest Vendor Response: Google's "TAG" response team for fixing several

zero-day exploit A zero-day (also known as a 0-day) is a computer-software vulnerability previously unknown to those who should be interested in its mitigation, like the vendor of the target software. Until the vulnerability is mitigated, hackers can exploit it t ...

s (something that is normally regarded as highly beneficial in IT security), because it allegedly and according to the jury "shut down a

counterterrorism Counterterrorism (also spelled counter-terrorism), also known as anti-terrorism, incorporates the practices, military tactics, techniques, and strategies that Government, governments, law enforcement, business, and Intelligence agency, intellig ...

operation"..

2021

* Lamest Vendor Response:

Cellebrite Cellebrite is an Israeli digital intelligence company that provides tools for federal, state, and local law enforcement as well as enterprise companies and service providers to collect, review, analyze and manage digital data. On April 8, 2021, C ...

, for thei
response
to

Moxie Moxie is a brand of carbonated beverage that is among the first mass-produced soft drinks in the United States. It was created around 1876 by Augustin Thompson as a patent medicine called "Moxie Nerve Food" and was produced in Lowell, Massac ...

, the creator of Signal, reverse-engineering their UFED and accompanying software and reporting a discovered exploit. * Epic Achievement:

Ilfak Guilfanov Ilfak Guilfanov (russian: Ильфак Гильфанов, born 1966) is a software developer, computer security researcher and blogger. He became well known when he issued a free hotfix for the Windows Metafile vulnerability on 31 December 2005 ...

, in honor of

IDA Ida or IDA may refer to: Astronomy * Ida Facula, a mountain on Amalthea, a moon of Jupiter *243 Ida, an asteroid *International Docking Adapter, a docking adapter for the International Space Station Computing *Intel Dynamic Acceleration, a techn ...

's 30th Anniversary. * Best Privilege Escalation Bug: Baron Samedit of

Qualys Qualys, Inc. provides cloud security, compliance and related services and is based in Foster City, California. Qualys provides vulnerability management solutions using a "software as a service" (SaaS) model. It has added cloud-based compliance an ...

, for the discovery of a 10-year-old exploit in

sudo sudo ( or ) is a program for Unix-like computer operating systems that enables users to run programs with the security privileges of another user, by default the superuser. It originally stood for "superuser do", as that was all it did, and it i ...

. * Best Song: The Ransomware Song by Forrest Brazeal * Best Server-Side Bug: Orange Tsai, for his Microsoft Exchange Server ProxyLogon attack surface discoveries. * Best Cryptographic Attack: The

NSA The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collectio ...

for its disclosure of a bug in the verification of signatures in Windows which breaks the certificate trust chain. * Most Innovative Research: Enes Göktaş, Kaveh Razavi, Georgios Portokalidis, Herbert Bos, and Cristiano Giuffrida at VUSec for their research on the "BlindSide" Attack. * Most Epic Fail:

Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...

, for their failure to fix PrintNightmare. * Best Client-Side Bug: Gunnar Alendal's discovery of a buffer overflow on the

Samsung Galaxy S20 The Samsung Galaxy S20 is a series of Android-based smartphones designed, developed, marketed, and manufactured by Samsung Electronics as part of its Galaxy S series. They collectively serve as the successor to the Galaxy S10 series. The first ...

's secure chip. * Most Under-Hyped Research: The Qualys Research Team for 21Nails, 21 vulnerabilities in

Exim Exim is a mail transfer agent (MTA) used on Unix-like operating systems. Exim is free software distributed under the terms of the GNU General Public License, and it aims to be a general and flexible mailer with extensive facilities for checking ...

, the Internet's most popular mail server.

2020

* Best Server-Side Bug
BraveStarr
('
Ronald Huizer
'', CVE-2020-10188) – A Fedora 31 netkit telnetd remote exploit * Best Privilege Escalation Bug
checkm8
('
axi0mX
'') – A permanent unpatchable USB bootrom exploit for a billion iOS devices. * Epic Achievement: Guang Gong
"Remotely Rooting Modern Android Devices"
* Best Cryptographic Attack: Zerologon vulnerability (Tom Tervoort, CVE-2020-1472) * Best Client-Side Bug

(Mateusz Jurczyk, CVE-2020-8899 and -16747), a zero click remote execution attack. * Most Under-Hyped Research

(Gabriel Negreira Barbosa, Rodrigo Rubira Branco, Joe Cihula, CVE-2019-0151, -0152) * Most Innovative Research
TRRespass: When Memory Vendors Tell You Their Chips Are Rowhammer-free, They Are Not.
(Pietro Frigo, Emanuele Vannacci, Hasan Hassan, Victor van der Veen, Onur Mutlu, Cristiano Giuffrida, Herbert Bos, Kaveh Razavi) * Most Epic Fail: Microsoft (CVE-2020-0601); the implementation of Elliptic-curve signatures meant attackers could generate private pairs for public keys of any signer, allowing HTTPS and signed binary spoofing. * Best Song: Powertrace - Rebekka Aigner, Daniel Gruss, Manuel Weber, Moritz Lipp, Patrick Radkohl, Andreas Kogler, Maria Eichlseder, ElTonno, tunefish, Yuki, Kater * Lamest Vendor Response: Daniel J. Bernstein (CVE-2005-1513)

2019

* Best Server-Side Bug: Orange Tsai and Meh Chang, for their SSL VPN research. * Most Innovative Research: Vectorized Emulation Brandon Falk * Best Cryptographic Attack: \m/ Dr4g0nbl00d \m/ Mathy Vanhoef, Eyal Ronen * Lamest Vendor Response: Bitfi * Most Over-hyped Bug: Allegations of

Supermicro Super Micro Computer, Inc., dba Supermicro, is an information technology company based in San Jose, California. It has manufacturing operations in the Silicon Valley, the Netherlands and at its Science and Technology Park in Taiwan. Founded on ...

hardware backdoors, Bloomberg * Most Under-hyped Bug: Thrangrycat, Jatin Kataria, Red Balloon Security

2018

* Most Innovative Research:

Spectre Spectre, specter or the spectre may refer to: Religion and spirituality * Vision (spirituality) * Apparitional experience * Ghost Arts and entertainment Film and television * ''Spectre'' (1977 film), a made-for-television film produced and writ ...

"Spectre Attacks: Exploiting Speculative Execution"
''Spectre''/

Meltdown Meltdown may refer to: Science and technology * Nuclear meltdown, a severe nuclear reactor accident * Meltdown (security vulnerability), affecting computer processors * Mutational meltdown, in population genetics Arts and entertainment Music * Me ...

"Meltdown"
''Meltdown'' Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom * Best Privilege Escalation Bug:

Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom * Lifetime Achievement:

Michał Zalewski Michał Zalewski (born 19 January 1981), also known by the user name lcamtuf, is a computer security expert and "white hat" hacker from Poland. He is a former Google Inc. employee (until 2018), and currently the VP of Security Engineering at Sna ...

* Best Cryptographic Attack: ROBOT - Return Of Bleichenbacher’s Oracle Threat Hanno Böck, Juraj Somorovsky, Craig Young * Lamest Vendor Response: Bitfi - a late entry that had received thousands of nominations after multiple hackers cracked Bitfi's device following

John McAfee John David McAfee ( ; 18 September 1945 – 23 June 2021) was a British-American computer programmer, businessman, and two-time presidential candidate who unsuccessfully sought the Libertarian Party nomination for president of the United States ...

's praising of the device for its security. Even though hackers cracked the device, by design the device does not contain private keys therefore breaking into the device would not result in a successful extraction of funds. Bitfi was eager to pay bounties and followed all the rules as stipulated. An announcement was made on September 8, 2018 with details on which bounty conditions were met and which payments would be made.

2017

* Epic Achievement: Finally getting TIOCSTI ioctl attack fixed Federico Bento * Most Innovative Research: ASLR on the line Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Bos, Cristiano Giuffrida * Best Privilege Escalation Bug: DRAMMER Victor van der Veen, Yanick Fratantonio, Martina Lindorfer, Daniel Gruss, Clementine Maurice, Giovanni Vigna, Herbert Bos, Kaveh Razavi, Cristiano Giuffrida * Best Cryptographic Attack: The first collision for full SH
1
Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini, Yarik Markov *Lamest Vendor Response:

Lennart Poettering Lennart Poettering (born 15 October 1980) is a German software engineer working for Microsoft and the original author of PulseAudio, Avahi and systemd. Life and career Poettering was born in Guatemala City but grew up in Rio de Janeiro, Br ...

- for mishandling security vulnerabilities most spectacularly for multiple critical

Systemd systemd is a software suite that provides an array of system components for Linux operating systems. Its main aim is to unify service configuration and behavior across Linux distributions; Its primary component is a "system and service manager ...

bugs * Best Song: Hello (From the Other Side) - Manuel Weber, Michael Schwarz, Daniel Gruss, Moritz Lipp, Rebekka Aigner

2016

* Most Innovative Research: Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector Erik Bosman, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida * Lifetime Achievement:

Peiter Zatko Peiter C. Zatko, better known as Mudge, is an American network security expert, open source programmer, writer, and hacker. He was the most prominent member of the high-profile hacker think tank the L0pht

aka Mudge * Best Cryptographic Attack:

DROWN attack The DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) attack is a cross-protocol security bug that attacks servers supporting modern SSLv3/TLS protocol suites by using their support for the obsolete, insecure, SSL v2 protocol to le ...

Nimrod Aviram et al. * Best Song: Cyberlier - Katie Moussouris

2015

Winner list from. * Best Server-Side Bug: SAP LZC LZH Compression Multiple Vulnerabilities, Martin Gallo * Best Client–Side Bug: Will it BLEND?, Mateusz j00ru Jurczyk * Best Privilege Escalation Bug: UEFI SMM Privilege Escalation, Corey Kallenberg * Most Innovative Research: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice Adrian David et al. * Lamest Vendor Response:

Blue Coat Systems __FORCETOC__ Blue Coat Systems, Inc., was a company that provided hardware, software, and services designed for cybersecurity and network management. In 2016, it was acquired by and folded into Symantec. In 2019 was, as part of Symantec Enterpris ...

(for blocking Raphaël Rigo‘s research presentation at SyScan 2015) * Most Overhyped Bug:

Shellshock (software_bug) Shellshock, also known as Bashdoor, is a family of security bugsAlthough described in some sources as a "virus," Shellshock is instead a design flaw in a program that comes with some operating systems. See => in the Unix Bash shell, the fir ...

, Stephane Chazelas * Most Epic FAIL: OPM - U.S. Office of Personnel Management (for losing data on 19.7 Million applicants for US government security clearances.) * Most Epic 0wnage: China * Best Song: "Clean Slate" by YTCracker * Lifetime Achievement: Thomas Dullien aka Halvar Flake

2014

* Best Server-Side Bug:

Heartbleed Heartbleed was a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartble ...

(Neel Mehta and Codenomicon, CVE-2014-0160) * Best Client-Side Bug: Google Chrome Arbitrary Memory Read Write Vulnerability, ( Geohot, CVE-2014-1705) * Best Privilege Escalation Bug: AFD.sys Dangling Pointer Vulnerability (Sebastian Apelt, CVE-2014-1767); the winner of

Pwn2Own Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference. First held in April 2007 in Vancouver, the contest is now held twice a year, most recently in April 2021. Contestants are challenged to exploit widely us ...

2014. * Most Innovative Research
RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis
(Daniel Genkin, Adi Shamir, Eran Tromer); extract RSA decryption keys from laptops within an hour by using the sounds generated by the computer. * Lamest Vendor Response: AVG Remote Administration Insecure “By Design” (AVG) * Best Song
"The SSL Smiley Song"
('
0xabad1dea
'') * Most Epic Fail:

Goto Fail In computer programming, unreachable code is part of the source code of a program which can never be executed because there exists no control flow path to the code from the rest of the program. Unreachable code is sometimes also called ''dead code' ...

(

Apple Inc. Apple Inc. is an American multinational technology company headquartered in Cupertino, California, United States. Apple is the largest technology company by revenue (totaling in 2021) and, as of June 2022, is the world's biggest company b ...

) * Epic 0wnage: Mt. Gox, (

Mark Karpelès Mark Marie Robert Karpelès (born June 1, 1985), also sometimes known by his online alias MagicalTux, is the former CEO of bitcoin Digital currency exchanger, exchange Mt. Gox. Born in France, he moved to Japan in 2009. Early life and education ...

)

2013

* Best Server-Side Bug:

Ruby on Rails Ruby on Rails (simplified as Rails) is a server-side web application framework written in Ruby under the MIT License. Rails is a model–view–controller (MVC) framework, providing default structures for a database, a web service, and web p ...

YAML YAML ( and ) (''see '') is a human-readable data-serialization language. It is commonly used for configuration files and in applications where data is being stored or transmitted. YAML targets many of the same communications applications as Exte ...

CVE-2013-0156
Ben Murphy * Best Client-Side Bug:

Adobe Reader Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage Portable Document Format (PDF) files. The family comprises Acrobat Reader (formerly Reader), Acrobat (forme ...

Buffer Overflow and Sandbox Escape
CVE-2013-0641
Unknown * Best

Privilege Escalation Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The res ...

Bug:

iOS iOS (formerly iPhone OS) is a mobile operating system created and developed by Apple Inc. exclusively for its hardware. It is the operating system that powers many of the company's mobile devices, including the iPhone; the term also includes ...

incomplete codesign bypass and kernel vulnerabilities
CVE-2013-0977CVE-2013-0978CVE-2013-0981
David Wang aka planetbeing and the evad3rs team * Most Innovative Research: Identifying and Exploiting

Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...

Kernel Race Conditions via Memory Access Patterns Mateusz "j00ru" Jurczyk, Gynvael Coldwind * Best Song: "All the Things" Dual Core * Most Epic Fail:

Nmap Nmap (Network Mapper) is a network scanner created by Gordon Lyon (also known by his pseudonym ''Fyodor Vaskovich''). Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides ...

: The Internet Considered Harmful -

DARPA The Defense Advanced Research Projects Agency (DARPA) is a research and development agency of the United States Department of Defense responsible for the development of emerging technologies for use by the military. Originally known as the Adv ...

Inference Checking Kludge Scanning Hakin9 * Epic 0wnage: Joint award to

Edward Snowden Edward Joseph Snowden (born June 21, 1983) is an American and naturalized Russian former computer intelligence consultant who leaked highly classified information from the National Security Agency (NSA) in 2013, when he was an employee and su ...

and the

* Lifetime Achievement:

Barnaby Jack Barnaby Michael Douglas Jack (22 November 1977 – 25 July 2013) was a New Zealand hacker, programmer and computer security expert. He was known for his presentation at the Black Hat computer security conference in 2010, during which he exploite ...

2012

The award for best server-side bug went to Sergey Golubchik for his

MySQL MySQL () is an open-source relational database management system (RDBMS). Its name is a combination of "My", the name of co-founder Michael Widenius's daughter My, and "SQL", the acronym for Structured Query Language. A relational database o ...

authentication bypass flaw. Two awards for best client-side bug were given to Sergey Glazunov and

Pinkie Pie In the '' My Little Pony'' franchise, the Earth ponies are ponies without a horn or wings. They were the first ponies to come out in 1983. They lack the ability to cast magic spells like unicorns, or the ability to stand on clouds like the ''pega ...

for their

Google Chrome Google Chrome is a cross-platform web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS ...

flaws presented as part of Google's

Pwnium Pwn2Own is a Hacker (computer security), computer hacking contest held annually at the CanSecWest Computer security conference, security conference. First held in April 2007 in Vancouver, the contest is now held twice a year, most recently in Ap ...

contest. The award for best

privilege escalation Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The res ...

bug went to Mateusz Jurczyk ("j00ru") for a vulnerability in the

kernel Kernel may refer to: Computing * Kernel (operating system), the central component of most operating systems * Kernel (image processing), a matrix used for image convolution * Compute kernel, in GPGPU programming * Kernel method, in machine learnin ...

that affected all

32-bit In computer architecture, 32-bit computing refers to computer systems with a processor, memory, and other major system components that operate on data in 32-bit units. Compared to smaller bit widths, 32-bit computers can perform large calculation ...

versions of Windows. The award for most innovative research went to Travis Goodspeed for a way to send

network packet In telecommunications and computer networking, a network packet is a formatted unit of data carried by a packet-switched network. A packet consists of control information and user data; the latter is also known as the ''payload''. Control informa ...

s that would inject additional packets. The award for best song went to "Control" by

nerdcore Nerdcore is a genre of hip hop music characterized by subject matter considered of interest to nerds and geeks. Self-described nerdcore musician MC Frontalot has the earliest known recorded use of the term (to describe this genre) in the 2000 ...

rapper

Dual Core A multi-core processor is a microprocessor on a single integrated circuit with two or more separate Central processing unit, processing units, called cores, each of which reads and executes Instruction set, program instructions. The instructio ...

. A new category of award, the "Tweetie Pwnie Award" for having more

Twitter Twitter is an online social media and social networking service owned and operated by American company Twitter, Inc., on which users post and interact with 280-character-long messages known as "tweets". Registered users can post, like, and ...

followers than the judges, went to MuscleNerd of the iPhone Dev Team as a representative of the iOS jailbreaking community. The "most epic fail" award was presented by

Metasploit The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company Rapid7. It ...

creator HD Moore to

F5 Networks F5, Inc. is an American technology company specializing in application security, multi-cloud management, online fraud prevention, application delivery networking (ADN), application availability & performance, network security, and access & autho ...

for their static

root In vascular plants, the roots are the organs of a plant that are modified to provide anchorage for the plant and take in water and nutrients into the plant body, which allows plants to grow taller and faster. They are most often below the sur ...

SSH The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution. SSH applications are based on a ...

key issue, and the award was accepted by an employee of F5, unusual because the winner of this category usually does not accept the award at the ceremony. Other nominees included

LinkedIn LinkedIn () is an American business and employment-oriented online service that operates via websites and mobile apps. Launched on May 5, 2003, the platform is primarily used for professional networking and career development, and allows job se ...

(for its data breach exposing password hashes) and the

antivirus Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name. ...

industry (for failing to detect threats such as

Stuxnet Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition ( SCADA) systems and is believed to be responsible for causing su ...

Duqu Duqu is a collection of computer malware discovered on 1 September 2011, thought by Kaspersky Labs to be related to the Stuxnet worm and to have been created by Unit 8200. Duqu has exploited Microsoft Windows's Zero day vulnerability, zero-day vu ...

, and

Flame A flame (from Latin ''flamma'') is the visible, gaseous part of a fire. It is caused by a highly exothermic chemical reaction taking place in a thin zone. When flames are hot enough to have ionized gaseous components of sufficient density they ...

). The award for "epic 0wnage" went to

for its MD5

collision attack In cryptography, a collision attack on a cryptographic hash tries to find two inputs producing the same hash value, i.e. a hash collision. This is in contrast to a preimage attack where a specific target hash value is specified. There are roughl ...

, recognizing it as a sophisticated and serious piece of malware that weakened trust in the

Windows Update Windows Update is a Microsoft service for the Windows 9x and Windows NT families of operating system, which automates downloading and installing Microsoft Windows software updates over the Internet. The service delivers software updates for Wind ...

system.

2011

* Best Server-Side Bug:

ASP.NET ASP.NET is an open-source, server-side web-application framework designed for web development to produce dynamic web pages. It was developed by Microsoft to allow programmers to build dynamic web sites, applications and services. The name s ...

Framework Padding Oracle
CVE-2010-3332
Juliano Rizzo, Thai Duong * Best Client-Side Bug: FreeType vulnerability in

CVE-2011-0226
Comex * Best

Bug: Windows kernel win32k user-mode callback vulnerabilities
MS11-034
Tarjei Mandt * Most Innovative Research: Securing the Kernel via Static Binary Rewriting and Program Shepherding Piotr Bania * Lifetime Achievement: pipacs/

PaX Pax or PAX may refer to: Peace * Peace (Latin: ''pax'') ** Pax (goddess), the Roman goddess of peace ** Pax, a truce term * Pax (liturgy), a salutation in Catholic and Lutheran religious services * Pax (liturgical object), an object formerly kiss ...

Team * Lamest Vendor Response: RSA

SecurID RSA SecurID, formerly referred to as SecurID, is a mechanism developed by RSA for performing two-factor authentication for a user to a network resource. Description The RSA SecurID authentication mechanism consists of a " token"—either ...

token compromise RSA * Best Song: " he Light It Up Contest Geohot * Most Epic Fail:

Sony , commonly stylized as SONY, is a Japanese multinational conglomerate corporation headquartered in Minato, Tokyo, Japan. As a major technology company, it operates as one of the world's largest manufacturers of consumer and professional ...

* Pwnie for Epic 0wnage:

2010

* Best Server-Side Bug: Apache

Struts2 Apache Struts 2 is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller (MVC) architecture. The WebWork framework s ...

framework remote code execution
CVE-2010-1870
Meder Kydyraliev * Best Client-Side Bug:

Java Java (; id, Jawa, ; jv, ꦗꦮ; su, ) is one of the Greater Sunda Islands in Indonesia. It is bordered by the Indian Ocean to the south and the Java Sea to the north. With a population of 151.6 million people, Java is the world's List ...

Trusted Method Chaining
CVE-2010-0840
Sami Koivu * Best Privilege Escalation Bug: Windows NT #GP Trap Handler
CVE-2010-0232
Tavis Ormandy * Most Innovative Research: Flash Pointer Inference and

JIT Spraying JIT spraying is a class of computer security exploit that circumvents the protection of address space layout randomization (ASLR) and data execution prevention (DEP) by exploiting the behavior of just-in-time compilation. It has been used to exploi ...

"Interpreter Exploitation Pointer Inference and JIT Spraying"
/ref> Dionysus Blazakis * Lamest Vendor Response:

LANrev HEAT LANrev (formerly Absolute Manage) is systems lifecycle management software used by system administrators to automate IT administration tasks. The product includes server and client ("agent") software that runs on Windows and macOS. Histor ...

remote code execution In computer security, arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in softwar ...

Absolute Software * Best Song:
Pwned - 1337 edition
Dr. Raid and Heavy Pennies * Most Epic Fail: Microsoft

Internet Explorer 8 Windows Internet Explorer 8 (IE8) is a web browser for Windows. It was released by Microsoft on March 19, 2009, as the eighth version of Internet Explorer and the successor to Internet Explorer 7. It was the default browser in Windows 7 (later def ...

XSS filter

2009

* Best Server-Side Bug:

Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, which ...

SCTP The Stream Control Transmission Protocol (SCTP) is a computer networking communications protocol in the transport layer of the Internet protocol suite. Originally intended for Signaling System 7 (SS7) message transport in telecommunication, the p ...

FWD Chunk Memory Corruption (CVE-2009-0065) David 'DK2' Kim * Best Privilege Escalation Bug: Linux

udev udev (userspace ) is a device manager for the Linux kernel. As the successor of devfsd and hotplug, udev primarily manages device nodes in the directory. At the same time, udev also handles all user space events raised when hardware devices ar ...

Netlink Netlink is a socket family used for inter-process communication (IPC) between both the kernel and userspace processes, and between different userspace processes, in a way similar to the Unix domain sockets available on certain Unix-like operati ...

Message Privilege Escalation (CVE-2009-1185) Sebastian Krahmer * Best Client-Side Bug: msvidctl.dll MPEG2TuneRequest Stack buffer overflow
CVE-2008-0015
Ryan Smith and Alex Wheeler * Mass 0wnage:

Red Hat Red Hat, Inc. is an American software company that provides open source software products to enterprises. Founded in 1993, Red Hat has its corporate headquarters in Raleigh, North Carolina, with other offices worldwide. Red Hat has become ass ...

Networks Backdoored

OpenSSH OpenSSH (also known as OpenBSD Secure Shell) is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides a secure channel over an unsecured network in a client–server architecture. Network Working Gr ...

Packages (CVE-2008-3844) Anonymous * Best Research: From 0 to 0day on Symbian Credit: Bernhard Mueller * Lamest Vendor Response: Linux "Continually assuming that all kernel

memory corruption Memory corruption occurs in a computer program when the contents of a memory location are modified due to programmatic behavior that exceeds the intention of the original programmer or program/language constructs; this is termed as violation of ...

bugs are only

Denial-of-Service In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connect ...

" Linux Project * Most Overhyped Bug: MS08-067 Server Service NetpwPathCanonicalize()

Stack Overflow In software, a stack overflow occurs if the call stack pointer exceeds the stack bound. The call stack may consist of a limited amount of address space, often determined at the start of the program. The size of the call stack depends on many fac ...

(CVE-2008-4250) Anonymous * Best Song: Nice Report Doctor Raid * Most Epic Fail: Twitter Gets Hacked and the "Cloud Crisis" Twitter * Lifetime Achievement Award:

Solar Designer Alexander Peslyak (Александр Песляк) (born 1977), better known as Solar Designer, is a security specialist from Russia. He is best known for his publications on exploitation techniques, including the return-to-libc attack and the f ...

2008

* Best Server-Side Bug: Windows

IGMP The Internet Group Management Protocol (IGMP) is a communications protocol used by hosts and adjacent routers on IPv4 networks to establish multicast group memberships. IGMP is an integral part of IP multicast and allows the network to direct m ...

Kernel Vulnerability
CVE-2007-0069
Alex Wheeler and Ryan Smith * Best Client-Side Bug: Multiple URL protocol handling flaws Nate McFeters, Rob Carter, and Billy Rios * Mass 0wnage: An unbelievable number of

WordPress WordPress (WP or WordPress.org) is a free and open-source content management system (CMS) written in hypertext preprocessor language and paired with a MySQL or MariaDB database with supported HTTPS. Features include a plugin architecture ...

vulnerabilities * Most Innovative Research: Lest We Remember: Cold Boot Attacks on Encryption Keys (honorable mention was awarded to Rolf Rolles for work on

virtualization In computing, virtualization or virtualisation (sometimes abbreviated v12n, a numeronym) is the act of creating a virtual (rather than actual) version of something at the same abstraction level, including virtual computer hardware platforms, stor ...

obfuscator In software development, obfuscation is the act of creating source or machine code that is difficult for humans or computers to understand. Like obfuscation in natural language, it may use needlessly roundabout expressions to compose statem ...

J. Alex Halderman J. Alex Halderman (born January 1981) is professor of Computer Science and Engineering at the University of Michigan, where he is also director of the Center for Computer Security & Society. Halderman's research focuses on computer security a ...

, Seth Schoen,

Nadia Heninger Nadia Heninger (born 1982) is an American cryptographer, computer security expert, and computational number theorist at the University of California, San Diego. Contributions Heninger is known for her work on freezing powered-down security devic ...

, William Clarkson, William Paul, Joseph Calandrino, Ariel Feldman, Rick Astley, Jacob Appelbaum, Edward Felten * Lamest Vendor Response:

McAfee McAfee Corp. ( ), formerly known as McAfee Associates, Inc. from 1987 to 1997 and 2004 to 2014, Network Associates Inc. from 1997 to 2004, and Intel Security Group from 2014 to 2017, is an American global computer security software company head ...

's "Hacker Safe" certification program * Most Overhyped Bug:

Dan Kaminsky Daniel Kaminsky (February 7, 1979 – April 23, 2021) was an American computer security researcher. He was a co-founder and chief scientist of WhiteOps, a computer security company. He previously worked for Cisco, Avaya, and IOActive, where h ...

DNS The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to ...

Cache Poisoning Vulnerability
CVE-2008-1447
* Best Song
Packin' the K!
by

Kaspersky Labs Kaspersky Lab (; Russian language, Russian: Лаборатория Касперского, Romanization of Russian, tr. ''Laboratoriya Kasperskogo'') is a Russian Multinational corporation, multinational cybersecurity and anti-virus provider head ...

* Most Epic Fail:

Debian Debian (), also known as Debian GNU/Linux, is a Linux distribution composed of free and open-source software, developed by the community-supported Debian Project, which was established by Ian Murdock on August 16, 1993. The first version of D ...

's flawed

OpenSSL OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HTT ...

Implementation
CVE-2008-0166
* Lifetime Achievement Award:

Tim Newsham Tim Newsham is a computer security professional. He has been contributing to the security community for more than a decade. He has performed research while working at security companies including @stake, Guardent, ISS, and Network Associates (or ...

2007

* Best Server-Side Bug:

Solaris Solaris may refer to: Arts and entertainment Literature, television and film * ''Solaris'' (novel), a 1961 science fiction novel by Stanisław Lem ** ''Solaris'' (1968 film), directed by Boris Nirenburg ** ''Solaris'' (1972 film), directed by ...

in.

telnet Telnet is an application protocol used on the Internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. User data is interspersed in-band with Telnet control i ...

d remote root exploit
CVE-2007-0882
, Kingcope * Best Client-Side Bug:

Unhandled exception In computing and computer programming, exception handling is the process of responding to the occurrence of ''exceptions'' – anomalous or exceptional conditions requiring special processing – during the execution of a program. In general, an ...

filter chaining vulnerability
CVE-2006-3648
skape & skywing * Mass 0wnage: WMF SetAbortProc remote code execution
CVE-2005-4560
anonymous * Most Innovative Research: Temporal Return Addresses, skape * Lamest Vendor Response:

OpenBSD OpenBSD is a security-focused, free and open-source, Unix-like operating system based on the Berkeley Software Distribution (BSD). Theo de Raadt created OpenBSD in 1995 by forking NetBSD 1.0. According to the website, the OpenBSD project em ...

IPv6 Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communication protocol, communications protocol that provides an identification and location system for computers on networks and routes traffic ...

mbuf

buffer overflow In information security and programming, a buffer overflow, or buffer overrun, is an anomaly whereby a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations. Buffers are areas of memory ...

CVE-2007-1365
* Most Overhyped Bug: MacBook

Wi-Fi Wi-Fi () is a family of wireless network protocols, based on the IEEE 802.11 family of standards, which are commonly used for local area networking of devices and Internet access, allowing nearby digital devices to exchange data by radio wave ...

Vulnerabilities, David Maynor * Best Song: Symantec Revolution, Symantec

References

External links

The Pwnie Awards
{{DEFAULTSORT:Pwnie Award Computer security Ironic and humorous awards