Pwnie Awards
The Pwnie Awards recognize both extreme excellence and incompetence in the field of information security. Winners are selected by a committee of security industry luminaries from nominations collected from the information security community. The awards are presented yearly at the BlackHat Security Conference.
Origins
The name Pwnie Award is based on the word 'pwn', which is hacker-slang meaning "to compromise" or to "control" based on the previous usage of the word "own" (and it is pronounced similarly). The name "The Pwnie Awards" is meant to sound like The Tony Awards, an awards ceremony for Broadway Threater in New York City.
History
The Pwnie Awards were founded in 2007 by Alexander Sotirov and Dino Dai Zovi following discussions regarding Dino's discovery of a cross-platform QuickTime vulnerability and Alexander's discovery of an ANI file processing vulnerability in Internet Explorer.
Categories
As of 2009, Pwnies are awarded in the following categories:
* Pwnie for Best Server-Side Bug * Pwnie for Best Client-Side Bug * Pwnie for Mass 0wnage * Pwnie for Most Innovative Research * Pwnie for Lamest Vendor Response * Pwnie for Most Overhyped Bug * Pwnie for Best Song * Pwnie for Most Epic FAIL (new for 2008) * Pwnie for Lifetime Achievement (new for 2008)
Previous Winners
2009
- Best Server-Side Bug: Linux SCTP FWD Chunk Memory Corruption (CVE-2009-0065) Wei Yongjun and sgrakkyu
- Best Privilege Escalation Bug: Linux udev Netlink Message Privilege Escalation (CVE-2009-1185) Sebastian Krahmer
- Best Client-Side Bug: msvidctl.dll MPEG2TuneRequest Stack buffer overflow (CVE-2008-0015) Ryan Smith and Alex Wheeler
- Mass 0wnage: Red Hat Networks Backdoored OpenSSH Packages (CVE-2008-3844) Anonymous
- Best Research: From 0 to 0day on Symbian Credit: Bernhard Mueller
- Lamest Vendor Response: Linux "Continually assuming that all kernel memory corruption bugs are only Denial-of-Service" Linux Project
- Most Overhyped Bug: MS08-067 Server Service NetpwPathCanonicalize() Stack Overflow (CVE-2008-4250) Anonymous
- Best Song: Nice Report Doctor Raid
- Most Epic Fail: Twitter Gets Hacked and the "Cloud Crisis" Twitter
- Lifetime Achievement Award: Solar Designer
2008
- Best Server-Side Bug: Windows IGMP Kernel Vulnerability (CVE-2008-0069) Alex Wheeler and Ryan Smith
- Best Client-Side Bug: Multiple URL protocol handling flaws Nate McFeters, Rob Carter, and Billy Rios
- Mass 0wnage: An unbelievable number of WordPress vulnerabilities
- Most Innovative Research: Lest We Remember: Cold Boot Attacks on Encryption Keys (honorable mention was awarded to Rolf Rolles for work on virtualization obfuscators) J. Alex Halderman, Seth Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph Calandrino, Ariel Feldman, Rick Astley, Jacob Appelbaum, Edward Felten
- Lamest Vendor Response: McAfee's "Hacker Safe" certification program
- Most Overhyped Bug: Dan Kaminsky's DNS Cache Poisoning Vulnerability (CVE-2008-1447)
- Best Song: Packin' the K! by Kaspersky Labs
- Most Epic Fail: Debian's flawed OpenSSL Implementation (CVE-2008-0166)
- Lifetime Achievement Award: Tim Newsham
2007
- Best Server-Side Bug: Solaris in.telnetd remote root exploit (CVE-2007-0882), Discovered by: Kingcope
- Best Client-Side Bug: Unhandled exception filter chaining vulnerability (CVE-2006-3648) skape & skywing
- Mass 0wnage: WMF SetAbortProc remote code execution (CVE-2005-4560) Discovered by: anonymous
- Most Innovative Research: Temporal Return Addresses, skape
- Lamest Vendor Response: OpenBSD IPv6 mbuf kernel buffer overflow (CVE-2007-1365)
- Most Overhyped Bug: MacBook Wi-Fi Vulnerabilities, David Maynor
- Best Song: Symantec Revolution, Symantec [1]