Pwnie Awards

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
Pwnie Award, resembling a My Little Pony toy.[1]

The Pwnie Awards recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations collected from the information security community.[2] The awards are presented yearly at the Black Hat Security Conference.[3]


The name Pwnie Award is based on the word "pwn", which is hacker slang meaning "to compromise" or to "control" based on the previous usage of the word "own" (and it is pronounced similarly). The name "The Pwnie Awards," pronounced as "Pony,"[3] is meant to sound like The Tony Awards, an awards ceremony for Broadway Theater in New York City.


The Pwnie Awards were founded in 2007 by Alexander Sotirov and Dino Dai Zovi[2] following discussions regarding Dino's discovery of a cross-platform QuickTime vulnerability (CVE-2007-2175) and Alexander's discovery of an ANI file processing vulnerability (CVE-2007-0038) in Internet Explorer.



  • Best Song: Powertrace[4] - Rebekka Aigner, Daniel Gruss, Manuel Weber, Moritz Lipp, Patrick Radkohl, Andreas Kogler, Maria Eichlseder, ElTonno, tunefish, Yuki, Kater


  • Most Innovative Research: Vectorized Emulation[5] Brandon Falk
  • Best Cryptographic Attack: \m/ Dr4g0nbl00d \m/ [6] Mathy Vanhoef, Eyal Ronen
  • Lamest Vendor Response: Bitfi
  • Most Over-hyped Bug: Allegations of Supermicro hardware backdoors, Bloomberg
  • Most Under-hyped Bug: Thrangrycat, Jatin Kataria, Red Balloon Security


  • Most Innovative Research: Spectre[7]/Meltdown[8] Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yval Yarom
  • Best Privilege Escalation Bug: Spectre[9]/Meltdown[10] Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yval Yarom
  • Lifetime Achievement: Michał Zalewski
  • Best Cryptographic Attack: Return Of Bleichenbacher’s Oracle Threat [11] Hanno Böck, Juraj Somorovsky, Craig Young
  • Lamest Vendor Response: Bitfi - a late entry that had received thousands of nominations after multiple hackers cracked Bitfi's device following John McAfee's praising of the device for its security. Even though hackers cracked the device, by design the device does not contain private keys therefore breaking into the device would not result in a successful extraction of funds. Bitfi was eager to pay bounties and followed all the rules as stipulated. An announcement was made on September 8, 2018 with details on which bounty conditions were met and which payments would be made. [12]


  • Epic Achievement: Finally getting TIOCSTI ioctl attack fixed Federico Bento
  • Most Innovative Research: ASLR on the line [13] Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Bos, Cristiano Giuffrida
  • Best Privilege Escalation Bug: DRAMMER [14] Victor van der Veen, Yanick Fratantonio, Martina Lindorfer, Daniel Gruss, Clementine Maurice, Giovanni Vigna, Herbert Bos, Kaveh Razavi, Cristiano Giuffrida
  • Lamest Vendor Response: Lennart Poettering - for mishandling security vulnerabilities most spectacularly for multiple critical Systemd bugs[15]
  • Best Song: Hello (From the Other Side)[16] - Manuel Weber, Michael Schwarz, Daniel Gruss, Moritz Lipp, Rebekka Aigner


  • Most Innovative Research: Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector [17] Erik Bosman, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida
  • Lifetime Achievement: Peiter Zatko aka Mudge
  • Best Cryptographic Attack: DROWN attack [18] Nimrod Aviram et al.
  • Best Song: Cyberlier[19] - Katie Moussouris


  • Pwnie for Most Epic FAIL: OPM - U.S. Office of Personnel Management
  • Lifetime Achievement: Thomas Dullien aka Halvar Flake
  • Most Innovative Research: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice [20] Adrian David et al.


The award for best server-side bug went to the security researchers who discovered Heartbleed, and best client-side bug went to George Hotz for finding a bug in Chrome OS.[21] The "most epic fail" award went to Apple for its goto fail bug in iOS and OS X.[21]



The award for best server-side bug went to Sergey Golubchik for his MySQL authentication bypass flaw.[24][25] Two awards for best client-side bug were given to Sergey Glazunov and Pinkie Pie for their Google Chrome flaws presented as part of Google's Pwnium contest.[24][26]

The award for best privilege escalation bug went to Mateusz Jurczyk ("j00ru") for a vulnerability in the Windows kernel that affected all 32-bit versions of Windows.[24][25] The award for most innovative research went to Travis Goodspeed for a way to send network packets that would inject additional packets.[24][25]

The award for best song went to "Control" by nerdcore rapper Dual Core.[24] A new category of award, the "Tweetie Pwnie Award" for having more Twitter followers than the judges, went to MuscleNerd of the iPhone Dev Team as a representative of the iOS jailbreaking community.[24]

The "most epic fail" award was presented by Metasploit creator HD Moore to F5 Networks for their static root SSH key issue, and the award was accepted by an employee of F5, unusual because the winner of this category usually does not accept the award at the ceremony.[24][26] Other nominees included LinkedIn (for its data breach exposing password hashes) and the antivirus industry (for failing to detect threats such as Stuxnet, Duqu, and Flame).[25]

The award for "epic 0wnage" went to Flame for its MD5 collision attack,[26] recognizing it as a sophisticated and serious piece of malware that weakened trust in the Windows Update system.[25]




  • Best Server-Side Bug: Linux SCTP FWD Chunk Memory Corruption (CVE-2009-0065) David 'DK2' Kim
  • Best Privilege Escalation Bug: Linux udev Netlink Message Privilege Escalation (CVE-2009-1185) Sebastian Krahmer
  • Best Client-Side Bug: msvidctl.dll MPEG2TuneRequest Stack buffer overflow (CVE-2008-0015) Ryan Smith and Alex Wheeler
  • Mass 0wnage: Red Hat Networks Backdoored OpenSSH Packages (CVE-2008-3844) Anonymous[2]
  • Best Research: From 0 to 0day on Symbian Credit: Bernhard Mueller
  • Lamest Vendor Response: Linux "Continually assuming that all kernel memory corruption bugs are only Denial-of-Service" Linux Project[31]
  • Most Overhyped Bug: MS08-067 Server Service NetpwPathCanonicalize() Stack Overflow (CVE-2008-4250) Anonymous[31]
  • Best Song: Nice Report Doctor Raid
  • Most Epic Fail: Twitter Gets Hacked and the "Cloud Crisis" Twitter[2]
  • Lifetime Achievement Award: Solar Designer[31]




  1. ^ Rashid, Fahmida Y. (August 2, 2011). "Pwnie Awards Nominees in 2011 Include Sony, Anonymous, LulzSec, WikiLeaks". eWeek. Retrieved January 3, 2013.
  2. ^ a b c d Buley, Taylor (July 30, 2009). "Twitter Gets 'Pwned' Again". Forbes. Archived from the original on February 16, 2013. Retrieved January 3, 2013.
  3. ^ a b c d e f g Sutter, John D. (August 4, 2011). "Sony gets 'epic fail' award from hackers". CNN. Retrieved January 3, 2013.
  4. ^ Powertrace Rebekka Aigner, Daniel Gruss, Manuel Weber, Moritz Lipp, Patrick Radkohl, Andreas Kogler, Maria Eichlseder, ElTonno, tunefish, Yuki, Kater
  5. ^ "Vectorized Emulation: Hardware accelerated taint tracking at 2 trillion instructions per second", Vectorized Emulation
  6. ^ "Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd"
  7. ^ "Spectre Attacks: Exploiting Speculative Execution", Spectre
  8. ^ "Meltdown", Meltdown
  9. ^ "Spectre Attacks: Exploiting Speculative Execution", Spectre
  10. ^ "Meltdown", Meltdown
  11. ^ "Return Of Bleichenbacher’s Oracle Threat (ROBOT)"
  12. ^ "Important Statement from Bitfi", Bitfi Public Announcement
  13. ^ "Pwnie for Most Innovative Research", Pwnie Awards
  14. ^ "Pwnie for Best Privilege Escalation Bug", Pwnie Awards
  15. ^ "2017: Pwnie for Lamest Vendor Response", Pwnie Awards
  16. ^ Hello (From the Other Side) Manuel Weber, Michael Schwarz, Daniel Gruss, Moritz Lipp, Rebekka Aigner
  17. ^ "Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector", Erik Bosman et al.
  18. ^ "DROWN: Breaking TLS using SSLv2" Nimrod Aviram et al.
  19. ^ Cyberlier Katie Moussouris
  20. ^ "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice", Adrian David et al.
  21. ^ a b Scharr, Jill (August 7, 2014). "Pwnie Awards Celebrate Security Wins and Epic Fails". Tom's Guide. Retrieved August 6, 2015.
  22. ^ "Identifying and Exploiting Windows Kernel RaceConditions via Memory Access Patterns"
  23. ^ at 09:31, John Leyden 5 Oct 2012. "Experts troll 'biggest security mag in the world' with DICKish submission". Retrieved 2019-10-03.
  24. ^ a b c d e f g Yin, Sara (July 26, 2012). "And Your 2012 Pwnie Award Winners Are..." SecurityWatch. PCMag. Retrieved January 8, 2013.
  25. ^ a b c d e Constantin, Lucian (July 26, 2012). "Flame's Windows Update Hack Wins Pwnie Award for Epic Ownage at Black Hat". IDG-News-Service. PCWorld. Retrieved January 8, 2013.
  26. ^ a b c Sean Michael Kerner (July 25, 2012). "Black Hat: Pwnie Awards Go to Flame for Epic pwnage and F5 for epic fail". Retrieved January 8, 2013.
  27. ^ a b c d e f g h Schwartz, Mathew J. (August 4, 2011). "Pwnie Award Highlights: Sony Epic Fail And More". InformationWeek. Retrieved January 3, 2013.
  28. ^ "Kernel Attacks through User-Mode Callbacks"
  29. ^ "Securing the Kernel via Static Binary Rewriting and Program Shepherding"
  30. ^ "Interpreter Exploitation Pointer Inference and JIT Spraying"
  31. ^ a b c Brown, Bob (July 31, 2009). "Twitter, Linux, Red Hat, Microsoft "honored" with Pwnie Awards". NetworkWorld. Archived from the original on August 5, 2009. Retrieved January 3, 2013.
  32. ^ a b c Naone, Erica (August 7, 2008). "Black Hat's Pwnie Awards". MIT Technology Review. Retrieved January 3, 2013.
  33. ^ a b c d e f Naraine, Ryan (August 2, 2007). "OpenBSD team mocked at first ever 'Pwnie' awards". ZDNet. Retrieved January 3, 2013.

External links[edit]