Previous Pwnie Award Winners
- 2020 Best Server-Side Bug: BraveStarr – A Fedora 31 netkit telnetd remote exploit
- 2020 Best Client-Side Bug: RCE on Samsung Phones via MMS
- 2020 Best Privilege Escalation Bug: checkm8 - Epic JailBreak
- 2020 Best Cryptographic Attack: Zerologon
- 2020 Most Innovative Research: TRRespass: When Memory Vendors Tell You Their Chips Are Rowhammer-free, They Are Not.
- 2020 Lamest Vendor Response: Daniel J. Bernstein
- 2020 Most Under-Hyped Research: Vulnerabilities in System Management Mode (SMM) and Trusted Execution Technology (TXT)
- 2020 Most Epic Fail: Microsoft
- 2020 Epic Achievement: Guang Gong
- 2020 Best Song: Lady Ada - Powertrace (Pokerface Song Parody / PLATYPUS Paper Teaser)
- 2019 Best Server-Side Bug: Pulse Secure SSL VPN (and others!)
- 2019 Best Client-Side Bug: The Horrible Facetime Group Messaging Bug
- 2019 Best Privilege Escalation Bug: iOS CVE-2019-6225
- 2019 Best Cryptographic Attack: Dr4g0nbl00d
- 2019 Most Innovative Research: Vectorized Emulation
- 2019 Lamest Vendor Response: BitFi
- 2019 Most Over-Hyped Bug: Super Micro - The big hack
- 2019 Most Epic Fail: Bloomberg's Infosec Fan Fiction
- 2019 Most Under-Hyped Research: Thrangrycat
- 2019 Epic Achievement: Steve Christey Coley
- 2018 Best Server-Side Bug: Intel AMT Remote Vulnerability
- 2018 Best Client-Side Bug: The 12 Logic Bug Gifts of Christmas
- 2018 Best Privilege Escalation Bug: Meltdown and Spectre
- 2018 Best Cryptographic Attack: Return Of Bleichenbacher’s Oracle Threat
- 2018 Most Innovative Research: Spectre/Meltdown
- 2018 Lamest Vendor Response: Bitfi
- 2018 Most Over-Hyped Bug: Holey Beep
- 2018 Lifetime Achievement: Michał Zalewski
- 2017 Best Server-Side Bug: CVE-2017-0143, 0144, 0145
- 2017 Best Client-Side Bug: Microsoft Office OLE2Link URL Moniker/Script Moniker
- 2017 Best Privilege Escalation Bug: Drammer: Deterministic Rowhammer Attacks on Mobile Platforms
- 2017 Best Cryptographic Attack: The first collision for full SHA-1
- 2017 Best Backdoor: M.E.Doc
- 2017 Best Branding: GhostButt
- 2017 Most Epic Achievement: Federico Bento
- 2017 Most Innovative Research: ASLR on the line
- 2017 Lamest Vendor Response: 5998
- 2017 Most Over-Hyped Bug: Enter 30 to shell - Cryptsetup bug
- 2017 Best Song: Hello (Covert Channel)
- 2017 Most Epic Fail: Laws Down Under
- 2017 Lifetime Achievement: Felix "FX" Lindner
- 2017 Most Epic 0wnage: Shadow Brokers dumps
- 2016 Best Server-Side Bug: Cisco ASA IKEv1/IKEv2 Fragmentation Heap Buffer Overflow
- 2016 Best Client-Side Bug: glibc getaddrinfo stack-based buffer overflow
- 2016 Best Privilege Escalation Bug: Widevine QSEE TrustZone Privilege Escalation
- 2016 Best Cryptographic Attack: SSLv2 Crypto attack
- 2016 Best Backdoor: Juniper ScreenOS: 哈哈哈哈哈哈
- 2016 Best Stunt Hack: Remotely Killing a Jeep on the Highway
- 2016 Best Branding: Mousejack wireless keystroke injection bug
- 2016 Most Epic Achievement: Never Giving Up and Never Letting Us Down
- 2016 Most Innovative Research: Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector
- 2016 Lamest Vendor Response: "WD MyPassword Drive"
- 2016 Most Over-Hyped Bug: Badlock
- 2016 Best Song: "Cyberlier"
- 2016 Lifetime Achievement: Mudge
- 2016 Most Epic 0wnage: The Juniper Backdoor
- 2015 Best Server-Side Bug: SAP LZC LZH Compression Multiple Vulnerabilities
- 2015 Best Client-Side Bug: Will it BLEND?
- 2015 Best Privilege Escalation Bug: UEFI SMM Privilege Escalation
- 2015 Most Innovative Research: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
- 2015 Lamest Vendor Response: "A Peek Under The Blue Coat"
- 2015 Most Over-Hyped Bug: CVE-2014-6271
- 2015 Best Song: "Clean Slate"
- 2015 Most Epic Fail: Oh, Please... Man!
- 2015 Lifetime Achievement: Halvar Flake
- 2015 Most Epic 0wnage: Hacking Team
- 2014 Best Server-Side Bug: CVE-2014-0160
- 2014 Best Client-Side Bug: CVE-2014-1705
- 2014 Best Privilege Escalation Bug: CVE-2014-1767
- 2014 Most Innovative Research: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis
- 2014 Lamest Vendor Response: AVG Remote Administration Insecure "By Design"
- 2014 Best Song: "The SSL Smiley Song"
- 2014 Most Epic Fail: Goto Fail
- 2014 Most Epic 0wnage: Mt. Gox
- 2013 Best Server-Side Bug: CVE-2013-0156
- 2013 Best Client-Side Bug: CVE-2013-0641
- 2013 Best Privilege Escalation Bug: CVE-2013-0977
- 2013 Most Innovative Research: Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns
- 2013 Best Song: All the Things
- 2013 Most Epic Fail: Nmap: The Internet Considered Harmful - DARPA Inference Checking Kludge Scanning
- 2013 Most Epic 0wnage: Joint award to Edward Snowden and the NSA
- 2013 Lifetime Achievement: Barnaby Jack
- 2012 Best Client-Side Bug: Sergey Glazunov's Pwnium Exploit
- 2012 Best Server-Side Bug: CVE-2012-2122
- 2012 Best Privilege Escalation Bug: CVE-2011-2018
- 2012 Most Innovative Research: Packets in Packets: Orson Welles' In-Band Signaling Attacks for Modern Radios
- 2012 Best Song: Control
- 2012 Most Epic Fail: F5 Static Root SSH Key
- 2012 Most Epic 0wnage: "Flame" Windows Update MD5 Collision Attack
- 2011 Best Server-Side Bug: CVE-2010-3332
- 2011 Best Client-Side Bug: CVE-2011-0226
- 2011 Best Privilege Escalation Bug: MS11-034
- 2011 Most Innovative Research: Securing the Kernel via Static Binary Rewriting and Program Shepherding
- 2011 Lifetime Achievement: pipacs/PaX Team
- 2011 Lamest Vendor Response: RSA SecurID token compromise
- 2011 Best Song: The Light It Up Contest
- 2011 Most Epic Fail: Sony
- 2011 Most Epic 0wnage: Stuxnet
- 2010 Best Server-Side Bug: CVE-2010-1870
- 2010 Best Client-Side Bug: CVE-2010-0840
- 2010 Best Privilege Escalation Bug: CVE-2010-0232
- 2010 Most Innovative Research: Flash Pointer Inference and JIT Spraying
- 2010 Lamest Vendor Response: LANRev remote code execution
- 2010 Best Song: Pwned - 1337 edition
- 2010 Most Epic Fail: Microsoft Internet Explorer 8 XSS filter
- 2009 Best Server-Side Bug: CVE-2009-0065
- 2009 Best Privilege Escalation Bug: CVE-2009-1185
- 2009 Best Client-Side Bug: CVE-2008-0015
- 2009 Most Epic 0wnage: CVE-2008-3844
- 2009 Most Innovative Research: From 0 to 0day on Symbian
- 2009 Lamest Vendor Response: Linux
- 2009 Most Over-Hyped Bug: CVE-2008-4250
- 2009 Best Song: Nice Report
- 2009 Most Epic Fail: Twitter Gets Hacked and the "Cloud Crisis"
- 2009 Lifetime Achievement: Solar Designer
- 2008 Best Server-Side Bug: CVE-2007-0069
- 2008 Best Client-Side Bug: Multiple URL protocol handling flaws
- 2008 Most Epic 0wnage: CVE-2008-*
- 2008 Most Innovative Research: Lest We Remember: Cold Boot Attacks on Encryption Keys
- 2008 Lamest Vendor Response: McAfee's "Hacker Safe" certification program
- 2008 Most Over-Hyped Bug: CVE-2008-1447
- 2008 Best Song: Packin' The K!
- 2008 Most Epic Fail: CVE-2008-0166
- 2008 Lifetime Achievement: Tim Newsham
- 2007 Best Server-Side Bug: CVE-2007-0882
- 2007 Best Client-Side Bug: CVE-2006-3648
- 2007 Most Epic 0wnage: CVE-2005-4560
- 2007 Most Innovative Research: Temporal Return Addresses
- 2007 Lamest Vendor Response: CVE-2007-1365
- 2007 Most Over-Hyped Bug: MacBook Wi-Fi Vulnerabilities
- 2007 Best Song: Symantec Revolution
For previous nominees, visit the site archive.