Taking place over the last week was the CanSecWest 2010 security conference, with their now annual Pwn2Own contest. For those that are unfamiliar, the Pwn2Own contest presents a number of devices usually consisting of mobile or cellular devices and laptops as targets and allows contestants to attempt to compromise them in some way. These targets are patched up through the most recent vendor patches, and if a contestant is able to Pwn (compromise) the device, they get to Own (keep) it. This is always a nice publicity stunt as the contest is widely publicized by it’s sponsor, providing researchers with some fame and a prize as a bit of a return on their invested effort researching vulnerabilities and developing exploits. The Zero Day Initiative (ZDI) who sponsors the contest also offers to buy the vulnerabilities used by the winners and “responsibly disclose” them to the affected vendors, providing a bit of a cash incentive as well.
Over the past few years however, some things have drastically changed in the value and marketability of such vulnerabilities.