The Pwnie Awards recognize both excellence and incompetence in the field of information security[citation needed]. Winners are selected by a committee of security industry professionals from nominations collected from the information security community.[1] Nominees are announced yearly at Summercon, and the awards themselves are presented at the Black Hat Security Conference.[2]
Origins
The name Pwnie Award is based on the word "pwn", which is hacker slang meaning to "compromise" or "control" based on the previous usage of the word "own" (and it is pronounced similarly). The name "The Pwnie Awards," pronounced as "Pony,"[2] is meant to sound like the Tony Awards, an awards ceremony for Broadway theater in New York City.
History
The Pwnie Awards were founded in 2007 by Alexander Sotirov and Dino Dai Zovi[1] following discussions regarding Dino's discovery of a cross-platform QuickTime vulnerability (CVE-2007-2175) and Alexander's discovery of an ANI file processing vulnerability (CVE-2007-0038) in Internet Explorer.
Lamest Vendor Response: Google's "TAG" response team for fixing several zero-day exploits (something that is normally regarded as highly beneficial in IT security), because it allegedly and according to the jury "shut down a counterterrorism operation".[3].
Epic Achievement: Yuki Chen’s Windows Server-Side RCE Bugs
Most Epic Fail: HackerOne Employee Caught Stealing Vulnerability Reports for Personal Gains
Best Desktop Bug: Pietro Borrello, Andreas Kogler, Martin Schwarzl, Moritz Lipp, Daniel Gruss, Michael Schwarz for Architecturally Leaking Data from the Microarchitecture
Most Innovative Research: Pietro Borrello, Martin Schwarzl, Moritz Lipp, Daniel Gruss, Michael Schwarz for Custom Processing Unit: Tracing and Patching Intel Atom Microcode
Best Cryptographic Attack: Hertzbleed: Turning Power Side-Channel Attacks Into Remote Timing Attacks on x86
Best Remote Code Execution Bug: KunlunLab for Windows RPC Runtime Remote Code Execution (CVE-2022-26809)
Best Privilege Escalation Bug: Qidan He of Dawnslab, for Mystique in the House: The Droid Vulnerability Chain That Owns All Your Userspace
Best Mobile Bug: FORCEDENTRY
Most Under-Hyped Research: Yannay Livneh for Spoofing IP with IPIP
2021
Lamest Vendor Response: Cellebrite, for their response to Moxie, the creator of Signal, reverse-engineering their UFED and accompanying software and reporting a discovered exploit.[4][5]
Best Privilege Escalation Bug: Baron Samedit of Qualys, for the discovery of a 10-year-old exploit in sudo.
Best Song: The Ransomware Song by Forrest Brazeal[6]
Best Server-Side Bug: Orange Tsai, for his Microsoft Exchange Server ProxyLogon attack surface discoveries.[7]
Best Cryptographic Attack: The NSA for its disclosure of a bug in the verification of signatures in Windows which breaks the certificate trust chain.[8]
Most Innovative Research: Enes Göktaş, Kaveh Razavi, Georgios Portokalidis, Herbert Bos, and Cristiano Giuffrida at VUSec for their research on the "BlindSide" Attack.[9]
Most Epic Fail: Microsoft (CVE-2020-0601); the implementation of Elliptic-curve signatures meant attackers could generate private pairs for public keys of any signer, allowing HTTPS and signed binary spoofing.
Best Song: Powertrace[14] - Rebekka Aigner, Daniel Gruss, Manuel Weber, Moritz Lipp, Patrick Radkohl, Andreas Kogler, Maria Eichlseder, ElTonno, tunefish, Yuki, Kater
Lamest Vendor Response: Daniel J. Bernstein (CVE-2005-1513)
2019
Best Server-Side Bug: Orange Tsai and Meh Chang, for their SSL VPN research.[15]
Most Innovative Research: Vectorized Emulation[16] Brandon Falk
Best Cryptographic Attack: \m/ Dr4g0nbl00d \m/ [17]Mathy Vanhoef, Eyal Ronen
Lamest Vendor Response: Bitfi
Most Over-hyped Bug: Allegations of Supermicro hardware backdoors, Bloomberg
Most Under-hyped Bug: Thrangrycat, Jatin Kataria, Red Balloon Security
2018
Most Innovative Research: Spectre[18]/Meltdown[19]Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom
Best Privilege Escalation Bug: Spectre[18]/Meltdown[19]Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom
Best Cryptographic Attack: ROBOT - Return Of Bleichenbacher’s Oracle Threat [20]Hanno Böck, Juraj Somorovsky, Craig Young
Lamest Vendor Response: Bitfi - a late entry that had received thousands of nominations after multiple hackers cracked Bitfi's device following John McAfee's praising of the device for its security. Even though hackers cracked the device, by design the device does not contain private keys therefore breaking into the device would not result in a successful extraction of funds. Bitfi was eager to pay bounties and followed all the rules as stipulated. An announcement was made on September 8, 2018 with details on which bounty conditions were met and which payments would be made.[21]
Most Innovative Research: ASLR on the line [22]Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Bos, Cristiano Giuffrida
Best Privilege Escalation Bug: DRAMMER [23]Victor van der Veen, Yanick Fratantonio, Martina Lindorfer, Daniel Gruss, Clementine Maurice, Giovanni Vigna, Herbert Bos, Kaveh Razavi, Cristiano Giuffrida
Best Cryptographic Attack: The first collision for full SHA-1Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini, Yarik Markov
Lamest Vendor Response: Lennart Poettering - for mishandling security vulnerabilities most spectacularly for multiple critical Systemd bugs[24]
Best Song: Hello (From the Other Side)[25] - Manuel Weber, Michael Schwarz, Daniel Gruss, Moritz Lipp, Rebekka Aigner
2016
Most Innovative Research: Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector [26]Erik Bosman, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida
Most Innovative Research: Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns[33]Mateusz "j00ru" Jurczyk, Gynvael Coldwind
Best Song: "All the Things" Dual Core
Most Epic Fail: Nmap: The Internet Considered Harmful - DARPA Inference Checking Kludge Scanning Hakin9[34]
The award for best server-side bug went to Sergey Golubchik for his MySQL authentication bypass flaw.[35][36] Two awards for best client-side bug were given to Sergey Glazunov and Pinkie Pie for their Google Chrome flaws presented as part of Google's Pwnium contest.[35][37]
The award for best privilege escalation bug went to Mateusz Jurczyk ("j00ru") for a vulnerability in the Windowskernel that affected all 32-bit versions of Windows.[35][36] The award for most innovative research went to Travis Goodspeed for a way to send network packets that would inject additional packets.[35][36]
The award for best song went to "Control" by nerdcore rapper Dual Core.[35] A new category of award, the "Tweetie Pwnie Award" for having more Twitter followers than the judges, went to MuscleNerd of the iPhone Dev Team as a representative of the iOS jailbreaking community.[35]
The "most epic fail" award was presented by Metasploit creator HD Moore to F5 Networks for their static rootSSH key issue, and the award was accepted by an employee of F5, unusual because the winner of this category usually does not accept the award at the ceremony.[35][37] Other nominees included LinkedIn (for its data breach exposing password hashes) and the antivirus industry (for failing to detect threats such as Stuxnet, Duqu, and Flame).[36]
The award for "epic 0wnage" went to Flame for its MD5collision attack,[37] recognizing it as a sophisticated and serious piece of malware that weakened trust in the Windows Update system.[36]
2011
Best Server-Side Bug: ASP.NET Framework Padding Oracle (CVE-2010-3332) Juliano Rizzo, Thai Duong[2]
Best Server-Side Bug: Windows IGMP Kernel Vulnerability (CVE-2007-0069) Alex Wheeler and Ryan Smith
Best Client-Side Bug: Multiple URL protocol handling flaws Nate McFeters, Rob Carter, and Billy Rios
Mass 0wnage: An unbelievable number of WordPress vulnerabilities
Most Innovative Research: Lest We Remember: Cold Boot Attacks on Encryption Keys (honorable mention was awarded to Rolf Rolles for work on virtualizationobfuscators) J. Alex Halderman, Seth Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph Calandrino, Ariel Feldman, Rick Astley, Jacob Appelbaum, Edward Felten