Previous Pwnie Award Winners

• 2020 Best Server-Side Bug: BraveStarr – A Fedora 31 netkit telnetd remote exploit
• 2020 Best Client-Side Bug: RCE on Samsung Phones via MMS
• 2020 Best Privilege Escalation Bug: checkm8 - Epic JailBreak
• 2020 Best Cryptographic Attack: Zerologon
• 2020 Most Innovative Research: TRRespass: When Memory Vendors Tell You Their Chips Are Rowhammer-free, They Are Not.
• 2020 Lamest Vendor Response: Daniel J. Bernstein
• 2020 Most Under-Hyped Research: Vulnerabilities in System Management Mode (SMM) and Trusted Execution Technology (TXT)
• 2020 Most Epic Fail: Microsoft
• 2020 Epic Achievement: Guang Gong
• 2020 Best Song: Lady Ada - Powertrace (Pokerface Song Parody / PLATYPUS Paper Teaser)
• 2019 Best Server-Side Bug: Pulse Secure SSL VPN (and others!)
• 2019 Best Client-Side Bug: The Horrible Facetime Group Messaging Bug
• 2019 Best Privilege Escalation Bug: iOS CVE-2019-6225
• 2019 Best Cryptographic Attack: Dr4g0nbl00d
• 2019 Most Innovative Research: Vectorized Emulation
• 2019 Lamest Vendor Response: BitFi
• 2019 Most Over-Hyped Bug: Super Micro - The big hack
• 2019 Most Epic Fail: Bloomberg's Infosec Fan Fiction
• 2019 Most Under-Hyped Research: Thrangrycat
• 2019 Epic Achievement: Steve Christey Coley
• 2018 Best Server-Side Bug: Intel AMT Remote Vulnerability
• 2018 Best Client-Side Bug: The 12 Logic Bug Gifts of Christmas
• 2018 Best Privilege Escalation Bug: Meltdown and Spectre
• 2018 Best Cryptographic Attack: Return Of Bleichenbacher’s Oracle Threat
• 2018 Most Innovative Research: Spectre/Meltdown
• 2018 Lamest Vendor Response: Bitfi
• 2018 Most Over-Hyped Bug: Holey Beep
• 2018 Lifetime Achievement: Michał Zalewski
• 2017 Best Server-Side Bug: CVE-2017-0143, 0144, 0145
• 2017 Best Client-Side Bug: Microsoft Office OLE2Link URL Moniker/Script Moniker
• 2017 Best Privilege Escalation Bug: Drammer: Deterministic Rowhammer Attacks on Mobile Platforms
• 2017 Best Cryptographic Attack: The first collision for full SHA-1
• 2017 Best Backdoor: M.E.Doc
• 2017 Best Branding: GhostButt
• 2017 Most Epic Achievement: Federico Bento
• 2017 Most Innovative Research: ASLR on the line
• 2017 Lamest Vendor Response: 5998
• 2017 Most Over-Hyped Bug: Enter 30 to shell - Cryptsetup bug
• 2017 Best Song: Hello (Covert Channel)
• 2017 Most Epic Fail: Laws Down Under
• 2017 Lifetime Achievement: Felix "FX" Lindner
• 2017 Most Epic 0wnage: Shadow Brokers dumps
• 2016 Best Server-Side Bug: Cisco ASA IKEv1/IKEv2 Fragmentation Heap Buffer Overflow
• 2016 Best Client-Side Bug: glibc getaddrinfo stack-based buffer overflow
• 2016 Best Privilege Escalation Bug: Widevine QSEE TrustZone Privilege Escalation
• 2016 Best Cryptographic Attack: SSLv2 Crypto attack
• 2016 Best Backdoor: Juniper ScreenOS: 哈哈哈哈哈哈
• 2016 Best Stunt Hack: Remotely Killing a Jeep on the Highway
• 2016 Best Branding: Mousejack wireless keystroke injection bug
• 2016 Most Epic Achievement: Never Giving Up and Never Letting Us Down
• 2016 Most Innovative Research: Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector
• 2016 Lamest Vendor Response: "WD MyPassword Drive"
• 2016 Most Over-Hyped Bug: Badlock
• 2016 Best Song: "Cyberlier"
• 2016 Lifetime Achievement: Mudge
• 2016 Most Epic 0wnage: The Juniper Backdoor
• 2015 Best Server-Side Bug: SAP LZC LZH Compression Multiple Vulnerabilities
• 2015 Best Client-Side Bug: Will it BLEND?
• 2015 Best Privilege Escalation Bug: UEFI SMM Privilege Escalation
• 2015 Most Innovative Research: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
• 2015 Lamest Vendor Response: "A Peek Under The Blue Coat"
• 2015 Most Over-Hyped Bug: CVE-2014-6271
• 2015 Best Song: "Clean Slate"
• 2015 Most Epic Fail: Oh, Please... Man!
• 2015 Lifetime Achievement: Halvar Flake
• 2015 Most Epic 0wnage: Hacking Team
• 2014 Best Server-Side Bug: CVE-2014-0160
• 2014 Best Client-Side Bug: CVE-2014-1705
• 2014 Best Privilege Escalation Bug: CVE-2014-1767
• 2014 Most Innovative Research: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis
• 2014 Lamest Vendor Response: AVG Remote Administration Insecure "By Design"
• 2014 Best Song: "The SSL Smiley Song"
• 2014 Most Epic Fail: Goto Fail
• 2014 Most Epic 0wnage: Mt. Gox
• 2013 Best Server-Side Bug: CVE-2013-0156
• 2013 Best Client-Side Bug: CVE-2013-0641
• 2013 Best Privilege Escalation Bug: CVE-2013-0977
• 2013 Most Innovative Research: Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns
• 2013 Best Song: All the Things
• 2013 Most Epic Fail: Nmap: The Internet Considered Harmful - DARPA Inference Checking Kludge Scanning
• 2013 Most Epic 0wnage: Joint award to Edward Snowden and the NSA
• 2013 Lifetime Achievement: Barnaby Jack
• 2012 Best Client-Side Bug: Sergey Glazunov's Pwnium Exploit
• 2012 Best Server-Side Bug: CVE-2012-2122
• 2012 Best Privilege Escalation Bug: CVE-2011-2018
• 2012 Most Innovative Research: Packets in Packets: Orson Welles' In-Band Signaling Attacks for Modern Radios
• 2012 Best Song: Control
• 2012 Most Epic Fail: F5 Static Root SSH Key
• 2012 Most Epic 0wnage: "Flame" Windows Update MD5 Collision Attack
• 2011 Best Server-Side Bug: CVE-2010-3332
• 2011 Best Client-Side Bug: CVE-2011-0226
• 2011 Best Privilege Escalation Bug: MS11-034
• 2011 Most Innovative Research: Securing the Kernel via Static Binary Rewriting and Program Shepherding
• 2011 Lifetime Achievement: pipacs/PaX Team
• 2011 Lamest Vendor Response: RSA SecurID token compromise
• 2011 Best Song: The Light It Up Contest
• 2011 Most Epic Fail: Sony
• 2011 Most Epic 0wnage: Stuxnet
• 2010 Best Server-Side Bug: CVE-2010-1870
• 2010 Best Client-Side Bug: CVE-2010-0840
• 2010 Best Privilege Escalation Bug: CVE-2010-0232
• 2010 Most Innovative Research: Flash Pointer Inference and JIT Spraying
• 2010 Lamest Vendor Response: LANRev remote code execution
• 2010 Best Song: Pwned - 1337 edition
• 2010 Most Epic Fail: Microsoft Internet Explorer 8 XSS filter
• 2009 Best Server-Side Bug: CVE-2009-0065
• 2009 Best Privilege Escalation Bug: CVE-2009-1185
• 2009 Best Client-Side Bug: CVE-2008-0015
• 2009 Most Epic 0wnage: CVE-2008-3844
• 2009 Most Innovative Research: From 0 to 0day on Symbian
• 2009 Lamest Vendor Response: Linux
• 2009 Most Over-Hyped Bug: CVE-2008-4250
• 2009 Best Song: Nice Report
• 2009 Most Epic Fail: Twitter Gets Hacked and the "Cloud Crisis"
• 2009 Lifetime Achievement: Solar Designer
• 2008 Best Server-Side Bug: CVE-2007-0069
• 2008 Best Client-Side Bug: Multiple URL protocol handling flaws
• 2008 Most Epic 0wnage: CVE-2008-*
• 2008 Most Innovative Research: Lest We Remember: Cold Boot Attacks on Encryption Keys
• 2008 Lamest Vendor Response: McAfee's "Hacker Safe" certification program
• 2008 Most Over-Hyped Bug: CVE-2008-1447
• 2008 Best Song: Packin' The K!
• 2008 Most Epic Fail: CVE-2008-0166
• 2008 Lifetime Achievement: Tim Newsham
• 2007 Best Server-Side Bug: CVE-2007-0882
• 2007 Best Client-Side Bug: CVE-2006-3648
• 2007 Most Epic 0wnage: CVE-2005-4560
• 2007 Most Innovative Research: Temporal Return Addresses
• 2007 Lamest Vendor Response: CVE-2007-1365
• 2007 Most Over-Hyped Bug: MacBook Wi-Fi Vulnerabilities
• 2007 Best Song: Symantec Revolution

For previous nominees, visit the site archive.