Take a look at last year’s nominees then submit your noms for 2023!
Submission Guidelines
How do I submit?
Below you will find a list of categories we’ve selected for this year’s pwnie awards! Simply click the category you’d like to submit to and you’ll be brought to a google form asking you a few questions. If you don’t want your submission to be tossed out the door immediately we HIGHLY recommend following the instructions as accurately as possible.
How do I win?
All accepted nominations are voted on by a select committee of hackers, breakers, and coders. Simply put, if your hacks are great you get a pwnie.
How do I collect?
A selection of nominations will be announced at SummerCon in NYC. If you’ve been nominated we ask that you kindly join us this year at Black Hat USA in Las Vegas where the winners are announced and given their very own Pwnie Awards!
If you can not make it we will reach out to arrange some way to get it to you.
Submission Guidelines, Requirements, Tips & Tricks
We ask that submissions be well written and explain in clear and concise terms why you think the nomination deserves a pwnie. Just because you submit a nomination does not mean it will be accepted into the running. We receive many dozens of submissions every year and if you put some thought and effort into your submission we will happily give it the due consideration it deserves.
If you copy/paste your entire 500 line PoC it’s going to be immediately tossed out and/or lambasted on social media. If you send us a single link to a tweet with zero context it’s getting the ol > /dev/null treatment.
pwnie for best desktop bug
Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting desktop bug.
pwnie for the best mobile bug
Awarded to the researcher or team who discovered or exploited the most interesting and innovative mobile bug.
pwnie for best cryptographic attack
Awarded to the researchers who discovered the most impactful cryptographic attack against real-world systems. A Pwnie Cryptography Award should represent a meaningful break in a system actually deployed. The attack can require a math Ph.D to understand its workings, but not to understand its impact, and it can’t require a data center in Utah to exploit.
Nominate the best cryptographic attack
pwnie for best song
What kind of awards ceremony does not have an award for best song? What can we say, security researchers, engineers, and the entire community can be considered a “multi-talented” group of people.
pwnie for most innovative research
Awarded to the researcher or team who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.
Nominate the most innovative research
pwnie for most under-hyped research
Like good magicians our industry will put a lot of razzle dazzle on the problems we can sell a solution for. But what about the things that are DONTFIX, can’t be scanned for, but are still amazingly cool and high impact? We (as an industry) sweep them under the rug and then they get caught in the UNDERHYPED pwnie awards!
Nominate the most under-hyped research
pwnie for best privilege escalation bug
Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.
Nominate the best privilege escalation bug
pwnie for best remote code execution bug
Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting remote code execution bug. This includes any software that is accessible remotely without using user interaction.
pwnie for lamest vendor response
Awarded to the vendor who mis-handled a security vulnerability most spectacularly.
Nominate the lamest vendor response
pwnie for most epic fail
This award is for the defenders who dared to wonder, “What could possibly go wrong?” For the investors who happily departed with eight-figure checks for a pitch presenting snake oil served over word salads on a fool’s gold platter. For the infosec vendors who adopted defense-by-deception as a marketing strategy. This award will honor a person or corporate entity’s spectacularly epic fail – the kind of fail that lets the entire infosec industry down in its wake. It can be a singular incident, marketing piece, or investment – or a smoldering trail of whale-scale fail.
pwnie for epic achievement
Awarded to the researchers, attackers, defenders, executives, journalists, nobodies, randos, or trolls for pulling off something so truly epic that we couldn’t possibly have predicted it by creating an award category that did it justice.