Pwnie Awards
The Pwnie Awards recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations collected from the information security community. The awards are presented yearly at the Black Hat Security Conference.
Origins
The name Pwnie Award is based on the word "pwn", which is hacker slang meaning "to compromise" or to "control" based on the previous usage of the word "own". The name "The Pwnie Awards," pronounced as "Pony," is meant to sound like The Tony Awards, an awards ceremony for Broadway Theater in New York City.History
The Pwnie Awards were founded in 2007 by Alexander Sotirov and Dino Dai Zovi following discussions regarding Dino's discovery of a cross-platform QuickTime vulnerability and Alexander's discovery of an ANI file processing vulnerability in Internet Explorer.Winners
2019
- Most Innovative Research: Vectorized Emulation Brandon Falk
- Best Cryptographic Attack: \m/ Dr4g0nbl00d \m/ Mathy Vanhoef, Eyal Ronen
- Lamest Vendor Response: Bitfi
- Most Over-hyped Bug: Allegations of Supermicro hardware backdoors, Bloomberg
- Most Under-hyped Bug: Thrangrycat, Jatin Kataria, Red Balloon Security
2018
- Most Innovative Research: Spectre/Meltdown Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yval Yarom
- Lifetime Achievement: Michał Zalewski
- Best Cryptographic Attack: Return Of Bleichenbacher’s Oracle Threat Hanno Böck, Juraj Somorovsky, Craig Young
- Lamest Vendor Response: Bitfi - a late entry that had received thousands of nominations after multiple hackers cracked Bitfi's device following John McAfee's praising of the device for its security. Even though hackers cracked the device, by design the device does not contain private keys therefore breaking into the device would not result in a successful extraction of funds. Bitfi was eager to pay bounties and followed all the rules as stipulated. An announcement was made on September 8, 2018 with details on which bounty conditions were met and which payments would be made.
2017
- Epic Achievement: Finally getting TIOCSTI ioctl attack fixed Federico Bento
- Most Innovative Research: ASLR on the line Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Bos, Cristiano Giuffrida
- Best Privilege Escalation Bug: DRAMMER Victor van der Veen, Yanick Fratantonio, Martina Lindorfer, Daniel Gruss, Clementine Maurice, Giovanni Vigna, Herbert Bos, Kaveh Razavi, Cristiano Giuffrida
- Lamest Vendor Response: for mishandling security vulnerabilities most spectacularly. For multiple critical Systemd bugs Lennart Poettering
2016
- Most Innovative Research: Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector Erik Bosman, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida
- Lifetime Achievement: Peiter Zatko aka Mudge
- Best Cryptographic Attack: DROWN attack Nimrod Aviram et al.
2015
- Pwnie for Most Epic FAIL: OPM - U.S. Office of Personnel Management
- Lifetime Achievement: Thomas Dullien aka Halvar Flake
- Most Innovative Research: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice Adrian David et al.
2014
2013
- Best Server-Side Bug: Ruby on Rails YAML Ben Murphy
- Best Client-Side Bug: Adobe Reader Buffer Overflow and Sandbox Escape Unknown
- Best Privilege Escalation Bug: iOS incomplete codesign bypass and kernel vulnerabilities David Wang aka planetbeing and the evad3rs team
- Most Innovative Research: Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns Mateusz "j00ru" Jurczyk, Gynvael Coldwind
- Best Song: "All the Things" Dual Core
- Most Epic Fail: Nmap: The Internet Considered Harmful - DARPA Inference Checking Kludge Scanning Hakin9
- Epic 0wnage: Joint award to Edward Snowden and the NSA
- Lifetime Achievement: Barnaby Jack
2012
The award for best privilege escalation bug went to Mateusz Jurczyk for a vulnerability in the Windows kernel that affected all 32-bit versions of Windows. The award for most innovative research went to Travis Goodspeed for a way to send network packets that would inject additional packets.
The award for best song went to "Control" by nerdcore rapper Dual Core. A new category of award, the "Tweetie Pwnie Award" for having more Twitter followers than the judges, went to MuscleNerd of the iPhone Dev Team as a representative of the iOS jailbreaking community.
The "most epic fail" award was presented by Metasploit creator HD Moore to F5 Networks for their static root SSH key issue, and the award was accepted by an employee of F5, unusual because the winner of this category usually does not accept the award at the ceremony. Other nominees included LinkedIn and the antivirus industry.
The award for "epic 0wnage" went to Flame for its MD5 collision attack, recognizing it as a sophisticated and serious piece of malware that weakened trust in the Windows Update system.
2011
- Best Server-Side Bug: ASP.NET Framework Padding Oracle Juliano Rizzo, Thai Duong
- Best Client-Side Bug: FreeType vulnerability in iOS Comex
- Best Privilege Escalation Bug: Windows kernel win32k user-mode callback vulnerabilities Tarjei Mandt
- Most Innovative Research: Securing the Kernel via Static Binary Rewriting and Program Shepherding Piotr Bania
- Lifetime Achievement: pipacs/PaX Team
- Lamest Vendor Response: RSA SecurID token compromise RSA
- Best Song: "" Geohot
- Most Epic Fail: Sony
- Pwnie for Epic 0wnage: Stuxnet
2010
- Best Server-Side Bug: Apache Struts2 framework remote code execution Meder Kydyraliev
- Best Client-Side Bug: Java Trusted Method Chaining Sami Koivu
- Best Privilege Escalation Bug: Windows NT #GP Trap Handler Tavis Ormandy
- Most Innovative Research: Flash Pointer Inference and JIT Spraying Dionysus Blazakis
- Lamest Vendor Response: LANrev remote code execution Absolute Software
- Best Song: "" Dr. Raid and Heavy Pennies
- Most Epic Fail: Microsoft Internet Explorer 8 XSS filter
2009
- Best Server-Side Bug: Linux SCTP FWD Chunk Memory Corruption David 'DK2' Kim
- Best Privilege Escalation Bug: Linux udev Netlink Message Privilege Escalation Sebastian Krahmer
- Best Client-Side Bug: msvidctl.dll MPEG2TuneRequest Stack buffer overflow Ryan Smith and Alex Wheeler
- Mass 0wnage: Red Hat Networks Backdoored OpenSSH Packages Anonymous
- Best Research: From 0 to 0day on Symbian Credit: Bernhard Mueller
- Lamest Vendor Response: Linux "Continually assuming that all kernel memory corruption bugs are only Denial-of-Service" Linux Project
- Most Overhyped Bug: MS08-067 Server Service NetpwPathCanonicalize Stack Overflow Anonymous
- Best Song: Nice Report Doctor Raid
- Most Epic Fail: Twitter Gets Hacked and the "Cloud Crisis" Twitter
- Lifetime Achievement Award: Solar Designer
2008
- Best Server-Side Bug: Windows IGMP Kernel Vulnerability Alex Wheeler and Ryan Smith
- Best Client-Side Bug: Multiple URL protocol handling flaws Nate McFeters, Rob Carter, and Billy Rios
- Mass 0wnage: An unbelievable number of WordPress vulnerabilities
- Most Innovative Research: Lest We Remember: Cold Boot Attacks on Encryption Keys J. Alex Halderman, Seth Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph Calandrino, Ariel Feldman, Rick Astley, Jacob Appelbaum, Edward Felten
- Lamest Vendor Response: McAfee's "Hacker Safe" certification program
- Most Overhyped Bug: Dan Kaminsky's DNS Cache Poisoning Vulnerability
- Best Song: by Kaspersky Labs
- Most Epic Fail: Debian's flawed OpenSSL Implementation
- Lifetime Achievement Award: Tim Newsham
2007
- Best Server-Side Bug: Solaris in.telnetd remote root exploit, Kingcope
- Best Client-Side Bug: Unhandled exception filter chaining vulnerability skape & skywing
- Mass 0wnage: WMF SetAbortProc remote code execution anonymous
- Most Innovative Research: Temporal Return Addresses, skape
- Lamest Vendor Response: OpenBSD IPv6 mbuf kernel buffer overflow
- Most Overhyped Bug: MacBook Wi-Fi Vulnerabilities, David Maynor
- Best Song: Symantec Revolution, Symantec