…your 2021 nominations!!! Thanks to our partners at Blackhat, the Awards will be broadcast live from the Blackhat main stage, August 4th 5:30pm PT! If you’re in town, come join us! For winners and prior winners who are in town, please contact us to join the afterparty.

Without further ado:

Best Client-Side Bug

Exploiting Samsung Secure Chip (CVE-2020-28341)

MOZILLA (CVE-2021-29955), INTEL (CVE-2021-0086), AMD (CVE-2021-26314)

RCE through CS:GO

Collecting Garbage for Profit



Best Cryptographic Attack

Kaspersky Password Manager: All your passwords are belong to us



Best Privilege Escalation Bug


New old bugs in Linux kernel


Even more Windows print spooler

Mangkhut exploit chain

Heap-based buffer overflow in Sudo!

Floating Point Value Injection

Sequoia: A deep root in Linux’s filesystem layer

The Windows Print Spooler


Best Server-Side Bug

RCE in Qmail (CVE-2005-1513)

PrintNightmare (CVE-2021-34527)

Microsoft Exchange Server (CVE-2021-26855, CVE-2021-27065, and others TBD)

21Nails (too many to list)

UAF in HTTP.sys (CVE-2021-31166)

(Another) Print Spooler Vulnerability (CVE-2021-1675)

ESXI RCE (CVE-2021-21974)

Best Song


The Zoom Song

Chase Login

The Ransomware Song


Miss Configuration

Epic Achievement

Prank Calls for Truth

Ilfak Guilfanov

DEFCON Voting Village


Jiashui Wang (aka Quhe)

Typhoon Mangkhut: One-click Remote Universal Root Formed with Two Vulnerabilities

Floating Point Value Injection (FPVI)

Lamest Vendor Response

Peloton Patches and Requires Subscription

Apple Response to Password Reset Vulnerabilities

Cellebrite Response to Moxie

Failure to Pay $1M Bounty

Giggle App Account and Public Information Disclosure Vulnerability

Most Epic Fail


Netgear router roundup

Canadian Shield iOS application is itself vulnerable

Samsung’s “secure” chip has a memcpy() buffer overflow

CREST / NCC Group – The Saga Continues

Voatz just generally having a bad one (year)

Unpatching the Patch

Most Innovative Research

APICraft: Fuzz Driver Generation for Closed-source SDK Libraries

Lord of the Ring(s): Side Channel Attacks on the CPU On-Chip Ring Interconnect Are Practical

An Analysis of Speculative Type Confusion Vulnerabilities in the Wild

Rage Against the Machine Clear: A Systematic Analysis of Machine Clears and Their Implications for Transient Execution Attacks

Speculative Probing: Hacking Blind in the Spectre Era

Most Under-Hyped Research

SMASH: Synchronized Many-sided Rowhammer Attacks from JavaScript

Windows 7 blind TCP/IP Hijacking

21 Nails

Supply Chain Attack on Composer