Pwnie Awards 2017

Winners of Pwnie Awards 2014

Pwnie for Best Server-Side Bug

Awarded to the person who discovered or exploited the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.

  • Heartbleed (CVE-2014-0160)

    Credit: Neel Mehta and Codenomicon

    The Heartbleed vulnerability was unleashed in April this year, starting a trend of giving vulnerabilities names, websites and logos. It was also a cool bug. This bug had a significant impact to both Yahoo! webmail users and any firm using Amazon's Elastic Load Balancers (ELBs). For almost a full day, anyone visting the Yahoo! webmail application or an ELB-backed cloud service was at risk of having thier cleartext credentials exposed. Yahoo! approached this problem by forcing password resets. The other 10,000+ companies using ELB likely did not.

Pwnie for Best Client-Side Bug

Awarded to the person who discovered or exploited the most technically sophisticated and interesting client-side bug.

  • Google Chrome Arbitrary Memory Read Write Vulnerability (CVE-2014-1705)

    Credit: Geohot

    Geohot won the Pwnium contest by chaining together four vulnerabilities, starting with a logic flaw in Chrome that let him read and write arbitrary memory.

Pwnie for Best Privilege Escalation Bug

Awarded to the person who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.

  • AFD.sys Dangling Pointer Vulnerability (CVE-2014-1767)

    Credit: Sebastian Apelt

    Filling in this year for win32k.sys, AFD.sys helped Sebastian win pwn2own 2014. This exploit is a great example of using a kernel exploit to escape the Internet Explorer 11 sandbox on Windows 8.1.

Pwnie for Most Innovative Research

Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.

  • RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis

    Daniel Genkin, Adi Shamir, Eran Tromer

    In this fascinating paper, the authors describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG's current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. They experimentally demonstrated that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away.

Pwnie for Lamest Vendor Response

Awarded to the vendor who mishandled a security vulnerability most spectacularly.

  • AVG Remote Administration Insecure "By Design"


    Declaring reported security weaknesses "by design" is so much less work than actually fixing them. Hey, anybody want to get some fro-yo?

Pwnie for Best Song

What kind of awards ceremony does not have an award for best song?

  • "The SSL Smiley Song"



Pwnie for Most Epic FAIL

Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn't there to document this FAIL for all time? This award is to honor a person or company's spectacularly epic FAIL.

  • Goto Fail


    We don't take kindly to "Pwnie Bait" vulnerabilities that have been introduced and named just to earn the coveted Epic FAIL Pwnie, but we'll let this one slide, Apple.

Pwnie for Epic 0wnage

0wnage, measured in owws, can be delivered in mass quantities to a single organization or distributed across the wider Internet population. The Epic 0wnage award goes to the hackers responsible for delivering the most damaging, widely publicized, or hilarious 0wnage. This award can also be awarded to the researcher responsible for disclosing the vulnerability or exploit that resulted in delivering the most owws across the Internet.

  • Mt. Gox

    Mark Karpelès

    The world's largest bitcoin exchange pumps up the price of BTC well above competing exchanges, stops allowing cash withdrawals, blocks bitcoin withdrawals, and finally comes crashing down claiming that they were hacked. All of this from an ex-pat CEO living in Japan who was convicted of crimes in his home country in absentia. Hundreds of millions of dollars went missing and all blockchain analysis points to Mr. Karpelès either being the dumbest developer in the history of mankind or complicit in the theft of Mt. Gox user's funds.

Nominations opened.
Nominations closed.
The list of nominees is announced.
Awards ceremony at the BlackHat USA conference in Las Vegas.
Awards Ceremony
when Wed, Aug 8th 2018
where BlackHat USA 2018, Lagoon JK (Level 2), Mandalay Bay, Las Vegas