Best Client-Side Bug



Collecting Garbage for Profit

Exploiting Samsung Secure Chip (CVE-2020-28341)

MOZILLA (CVE-2021-29955), INTEL (CVE-2021-0086), AMD (CVE-2021-26314)

RCE through CS:GO

Best Cryptographic Attack

Kaspersky Password Manager: All your passwords are belong to us



Best Privilege Escalation Bug



Even more Windows print spooler

Floating Point Value Injection

Heap-based buffer overflow in Sudo!

Mangkhut exploit chain


New old bugs in Linux kernel

Sequoia: A deep root in Linux’s filesystem layer

The Windows Print Spooler

Best Server-Side Bug

(Another) Print Spooler Vulnerability (CVE-2021-1675)

21Nails (too many to list)

ESXI RCE (CVE-2021-21974)

Microsoft Exchange Server (CVE-2021-26855, CVE-2021-27065, and others TBD)

PrintNightmare (CVE-2021-34527)

RCE in Qmail (CVE-2005-1513)

UAF in HTTP.sys (CVE-2021-31166)

Best Song

Chase Login

Miss Configuration



The Ransomware Song

The Zoom Song

Epic Achievement

DEFCON Voting Village

Floating Point Value Injection (FPVI)

Ilfak Guilfanov

Jiashui Wang (aka Quhe)


Prank Calls for Truth

Typhoon Mangkhut: One-click Remote Universal Root Formed with Two Vulnerabilities

Lamest Vendor Response

Apple Response to Password Reset Vulnerabilities

Cellebrite Response to Moxie

Failure to Pay $1M Bounty

Giggle App Account and Public Information Disclosure Vulnerability

Peloton Patches and Requires Subscription

Most Epic Fail

CREST / NCC Group – The Saga Continues

Canadian Shield iOS application is itself vulnerable

Netgear router roundup


Samsung’s “secure” chip has a memcpy() buffer overflow

Unpatching the Patch

Voatz just generally having a bad one (year)

Most Innovative Research

APICraft: Fuzz Driver Generation for Closed-source SDK Libraries

An Analysis of Speculative Type Confusion Vulnerabilities in the Wild

Lord of the Ring(s): Side Channel Attacks on the CPU On-Chip Ring Interconnect Are Practical

Rage Against the Machine Clear: A Systematic Analysis of Machine Clears and Their Implications for Transient Execution Attacks

Speculative Probing: Hacking Blind in the Spectre Era

Most Under-Hyped Research

21 Nails

SMASH: Synchronized Many-sided Rowhammer Attacks from JavaScript

Supply Chain Attack on Composer

Windows 7 blind TCP/IP Hijacking