Pwnie Awards#2007

The name Pwnie Award is based on the word "pwn", which is hacker slang meaning to "compromise" or "control" based on the previous usage of the word "own" (and it is pronounced similarly). The name "The Pwnie Awards," pronounced as "Pony," is meant to sound like the Tony Awards, an awards ceremony for Broadway theater in New York City.

The Pwnie Awards were founded in 2007 by Alexander Sotirov and Dino Dai Zovi following discussions regarding Dino's discovery of a cross-platform QuickTime vulnerability ({{CVE|2007-2175}}) and Alexander's discovery of an ANI file processing vulnerability ({{CVE|2007-0038}}) in Internet Explorer.

{{More citations needed section|date=January 2013}}

• Most Epic Fail: Crowdstrike for 2024 CrowdStrike incident{{Cite x |number=1816163089307386359 |user=PwnieAwards |title=Some of you may already be aware but due to extenuating circumstances we've made an early award! The 2024 Pwnie for Epic Fail goes to @CrowdStrike for the CRWD2K bug! 🦃 |date=24 Jul 2024}}
• Best Mobile Bug: Operation Triangulation
• Lamest Vendor Response: Xiaomi for obstructing Pwn2Own researchers from using their services
• Best Cryptographic Attack: GoFetch
• Best Desktop Bug: forcing realtime WebAudio playback in Chrome (CVE-2023-5996)
• Best Song: Touch Some Grass by UwU Underground
• Best Privilege Escalation: Windows Streaming Service UAF (CVE-2024-30089) by Valentina Palmiotti (chompie){{Cite web |last=Palmiotti |first=Valentina |date=2024-07-29 |title=Racing round and round: The little bug that could |url=https://www.ibm.com/think/x-force/little-bug-that-could |access-date= |website=IBM |language=en}}
• Best Remote Code Execution: Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability (CVE-2024-30080)
• Most Epic Achievement: Discovery and reverse engineering of the XZ Utils backdoor
• Most Innovative Research: Let the Cache Cache and Let the WebAssembly Assemble: Knocking’ on Chrome’s Shell{{Cite conference |last1=Bochin |first1=Edouard |last2=Yan |first2=Tao |last3=Qu |first3=Bo |date=2024 |title=Let the Cache Cache and Let the WebAssembly Assemble: Knocking' on Chrome's Shell |url=https://i.blackhat.com/BH-US-24/Presentations/REVISED-US24-Bochin-Let-The-Cache-Cache-and-Wednesday.pdf |conference=Black Hat USA 2024 |via=Palo Alto Networks}} by Edouard Bochin, Tao Yan, and Bo Qu
• Most Underhyped Research: See No Eval: Runtime Dynamic Code Execution in Objective-C{{Cite web |last= |date=16 Jan 2021 |title=See No Eval: Runtime Dynamic Code Execution in Objective-C |url=https://codecolor.ist/2021/01/16/see-no-eval-runtime-code-execution-objc/ |access-date= |website=CodeColorist |language=en}}

• Best Desktop Bug: CountExposure!
• Best Cryptographic Attack: Video-based cryptanalysis: Extracting Cryptographic Keys from Video Footage of a Device’s Power LED {{Cite web |last1=Nassi |first1=Ben |last2=Iluz |first2=Etay |last3=Vayner |first3=Ofek |last4=Cohen |first4=Or |last5=Nassi |first5=Dudi |last6=Zadov |first6=Boris |last7=Elovici |first7=Yuval |date= |title=Video-based Cryptanalysis: Exploiting a Video Camera's Rolling Shutter to Recover Secret Keys from Devices Using Video Footage of Their Power LED |url=https://www.nassiben.com/video-based-crypta |access-date= |website=nassiben.com |language=en}} by Ben Nassi, Etay Iluz, Or Cohen, Ofek Vayner, Dudi Nassi, Boris Zadov, Yuval Elovici
• Best Song: Clickin’
• Most Innovative Research: Inside Apple’s Lightning: Jtagging the iPhone for Fuzzing and Profit
• Most Under-Hyped Research: Activation Context Cache Poisoning
• Best Privilege Escalation Bug: URB Excalibur: Slicing Through the Gordian Knot of VMware VM Escapes
• Best Remote Code Execution Bug: ClamAV RCE
• Lamest Vendor Response: Three Lessons From Threema: Analysis of a Secure Messenger
• Most Epic Fail: “Holy fucking bingle, we have the no fly list,”
• Epic Achievement: Clement Lecigne: 0-days hunter world champion
• Lifetime Achievement Award: Mudge

• Lamest Vendor Response: Google's "TAG" response team for "unilaterally shutting down a counterterrorism operation."{{cite tweet|number=1557268652197416966|user=PwnieAwards|title=Our final nomination for Lamest Vendor Response goes to:Google TAG for "unilaterally shutting down a counterterrorism operation".|date=10 August 2022}}{{cite web |last=O'Neill |first=Patrick Howell |date=26 March 2021 |title=Google's top security teams unilaterally shut down a counterterrorism operation |url=https://www.technologyreview.com/2021/03/26/1021318/google-security-shut-down-counter-terrorist-us-ally/ |website=MIT Technology Review}}{{cite web |date=29 March 2021 |title=Google's Project Zero shuts down Western counter-terrorist hacker team |url=https://www.verdict.co.uk/googles-project-zero-shuts-down-western-counter-terrorist-hacker-team/?cf-view |website=verdict.co.uk}}
• Epic Achievement: Yuki Chen’s Windows Server-Side RCE Bugs
• Most Epic Fail: HackerOne Employee Caught Stealing Vulnerability Reports for Personal Gains
• Best Desktop Bug: Pietro Borrello, Andreas Kogler, Martin Schwarzl, Moritz Lipp, Daniel Gruss, Michael Schwarz for Architecturally Leaking Data from the Microarchitecture
• Most Innovative Research: Pietro Borrello, Martin Schwarzl, Moritz Lipp, Daniel Gruss, Michael Schwarz for Custom Processing Unit: Tracing and Patching Intel Atom Microcode
• Best Cryptographic Attack: Hertzbleed: Turning Power Side-Channel Attacks Into Remote Timing Attacks on x86 by Yingchen Wang, Riccardo Paccagnella, Elizabeth Tang He, Hovav Shacham, Christopher Fletcher, David Kohlbrenner
• Best Remote Code Execution Bug: KunlunLab for Windows RPC Runtime Remote Code Execution ({{CVE|2022-26809}})
• Best Privilege Escalation Bug: Qidan He of Dawnslab, for Mystique in the House: The Droid Vulnerability Chain That Owns All Your Userspace
• Best Mobile Bug: FORCEDENTRY
• Most Under-Hyped Research: Yannay Livneh for Spoofing IP with IPIP
• Best Song: Dialed Up by Project Mammoth{{Cite web |title=Dialed Up – Pwnies |url=https://pwnies.com/dialed-up/ |access-date=2025-05-31 |website=pwnies.com}}{{Cite AV media |url=https://www.youtube.com/watch?v=euMZYqDG4Sc |title=Project Mammoth "Dialed Up" |date=2022-08-04 |last=Project Mammoth |access-date=2025-05-31 |via=YouTube}}

• Lamest Vendor Response: Cellebrite, for their response to Moxie, the creator of Signal, reverse-engineering their UFED and accompanying software and reporting a discovered exploit.{{cite web|title=In epic hack, Signal developer turns the tables on forensics firm Cellebrite|url=https://arstechnica.com/information-technology/2021/04/in-epic-hack-signal-developer-turns-the-tables-on-forensics-firm-cellebrite/|first=Dan|last=Goodin|date=2021-04-21|archive-url=https://web.archive.org/web/20230523235159/https://arstechnica.com/information-technology/2021/04/in-epic-hack-signal-developer-turns-the-tables-on-forensics-firm-cellebrite/|archive-date=2023-05-23}}{{cite web|title=Cellebrite Pushes Update After Signal Owner Hacks Device|first1=Joseph|last1=Cox|first2=Lorenzo|last2=Franceschi-Bicchierai|url=https://www.vice.com/en/article/cellebrite-pushes-update-after-signal-owner-hacks-device/|date=2021-04-27|url-status=live|archive-url=https://web.archive.org/web/20230511051709/https://www.vice.com/en/article/qj8pjm/cellebrite-pushes-update-after-signal-owner-hacks-device|archive-date=2023-05-11}}
• Epic Achievement: Ilfak Guilfanov, in honor of IDA's 30th Anniversary.
• Best Privilege Escalation Bug: Baron Samedit of Qualys, for the discovery of a 10-year-old exploit in sudo.
• Best Song: The Ransomware Song by Forrest Brazeal{{cite web |last1=Brazeal |first1=Forrest |title=The Ransomware Song |url=https://www.youtube.com/watch?v=d2dsI8NvdCU |archive-url=https://ghostarchive.org/varchive/youtube/20211221/d2dsI8NvdCU |archive-date=2021-12-21 |url-status=live|website=YouTube |date=11 June 2021 |access-date=9 August 2021}}{{cbignore}}
• Best Server-Side Bug: Orange Tsai, for his Microsoft Exchange Server ProxyLogon attack surface discoveries.{{cite web |last1=Tsai |first1=Orange |title=ProxyLogon is Just the Tip of the Iceberg: A New Attack Surface on Microsoft Exchange Server! |url=https://www.blackhat.com/us-21/briefings/schedule/#proxylogon-is-just-the-tip-of-the-iceberg-a-new-attack-surface-on-microsoft-exchange-server-23442 |website=www.blackhat.com |access-date=9 August 2021}}
• Best Cryptographic Attack: The NSA for its disclosure of a bug in the verification of signatures in Windows which breaks the certificate trust chain.{{cite web |title=Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers |url=https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF |access-date=9 August 2021 |website=Defense.gov |publisher=National Security Agency}}
• Most Innovative Research: Enes Göktaş, Kaveh Razavi, Georgios Portokalidis, Herbert Bos, and Cristiano Giuffrida at VUSec for their research on the "BlindSide" Attack.{{cite web |last1=Göktaş |first1=Enes |last2=Razavi |first2=Kaveh |last3=Portokalidis |first3=Georgios |last4=Bos |first4=Herbert |last5=Giuffrida |first5=Cristiano |title=Speculative Probing: Hacking Blind in the Spectre Era |url=https://download.vusec.net/papers/blindside_ccs20.pdf}}
• Most Epic Fail: Microsoft, for their failure to fix PrintNightmare.{{cite web |last1=Kolsek |first1=Mitja |title=Free Micropatches for PrintNightmare Vulnerability (CVE-2021-34527) |url=https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html |website=0Patch Blog |access-date=9 August 2021 |language=en}}
• Best Client-Side Bug: Gunnar Alendal's discovery of a buffer overflow on the Samsung Galaxy S20's secure chip.{{cite web |last1=Alendal |first1=Gunnar |title=Chip Chop - Smashing the Mobile Phone Secure Chip for Fun and Digital Forensics |url=https://www.blackhat.com/us-21/briefings/schedule/#chip-chop---smashing-the-mobile-phone-secure-chip-for-fun-and-digital-forensics-23566 |website=www.blackhat.com |publisher=Black Hat}}
• Most Under-Hyped Research: The Qualys Research Team for 21Nails,{{cite web |title=21Nails: Multiple vulnerabilities in Exim |url=https://www.qualys.com/2021/05/04/21nails/21nails.txt |website=qualys.com |publisher=Qualys |access-date=9 August 2021}} 21 vulnerabilities in Exim, the Internet's most popular mail server.{{Cite web

|url=http://www.securityspace.com/s_survey/data/man.202102/mxsurvey.html

|title=E-Soft MX survey |website=securityspace.com |publisher=E-Soft Inc. |date=1 March 2021 |access-date=21 March 2021

}}

• Best Server-Side Bug: [https://appgateresearch.blogspot.com/2020/02/bravestarr-fedora-31-netkit-telnetd_28.html BraveStarr] (CVE-2020-10188) – A Fedora 31 netkit telnetd remote exploit (Ronald Huizer')
• Best Privilege Escalation Bug: [https://twitter.com/i/web/status/1177542201670168576 checkm8] – A permanent unpatchable USB bootrom exploit for a billion iOS devices. (axi0mX)
• Epic Achievement: [https://drive.google.com/file/d/1BFMxhSkA0SF2Vx-W05zpY9r66x0SoEJ0/view "Remotely Rooting Modern Android Devices"] (Guang Gong)
• Best Cryptographic Attack: Zerologon vulnerability (Tom Tervoort, CVE-2020-1472)
• Best Client-Side Bug: [https://googleprojectzero.blogspot.com/2020/07/mms-exploit-part-1-introduction-to-qmage.html RCE on Samsung Phones via MMS] (CVE-2020-8899 and -16747), a zero click remote execution attack. (Mateusz Jurczyk)
• Most Under-Hyped Research: [https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00240.html Vulnerabilities in System Management Mode (SMM) and Trusted Execution Technology (TXT)] (CVE-2019-0151 and -0152) (Gabriel Negreira Barbosa, Rodrigo Rubira Branco, Joe Cihula)
• Most Innovative Research: [https://www.vusec.net/projects/trrespass/ TRRespass: When Memory Vendors Tell You Their Chips Are Rowhammer-free, They Are Not.] (Pietro Frigo, Emanuele Vannacci, Hasan Hassan, Victor van der Veen, Onur Mutlu, Cristiano Giuffrida, Herbert Bos, Kaveh Razavi)
• Most Epic Fail: Microsoft; for the implementation of Elliptic-curve signatures which allowed attackers to generate private pairs for public keys of any signer, allowing HTTPS and signed binary spoofing. (CVE-2020-0601)
• Best Song: Powertrace by Rebekka Aigner, Daniel Gruss, Manuel Weber, Moritz Lipp, Patrick Radkohl, Andreas Kogler, Maria Eichlseder, ElTonno, tunefish, Yuki and Kater
• Lamest Vendor Response: Daniel J. Bernstein (CVE-2005-1513){{Cite web|url=https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt|title=Qualys CVE-2005-1513 Remote Code Execution Qmail|publisher=Qualys |date=19 May 2020 |archive-url=https://web.archive.org/web/20250108160721/https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt |access-date=21 Jan 2025|archive-date=8 January 2025 }}

• Best Server-Side Bug: Orange Tsai and Meh Chang, for their SSL VPN research.{{cite web |last1=Tsai |first1=Orange |title=Infiltrating Corporate Intranet Like NSA - Pre-auth RCE on Leading SSL VPNs! |url=https://www.blackhat.com/us-19/briefings/schedule/#infiltrating-corporate-intranet-like-nsa---pre-auth-rce-on-leading-ssl-vpns-15545 |website=www.blackhat.com |access-date=7 August 2019}}
• Most Innovative Research: Vectorized Emulation{{Cite web |date=14 Oct 2018 |title=Vectorized Emulation: Hardware accelerated taint tracking at 2 trillion instructions per second |url=https://gamozolabs.github.io/fuzzing/2018/10/14/vectorized_emulation.html |website=Gamozo Labs Blog}} Brandon Falk
• Best Cryptographic Attack: \m/ Dr4g0nbl00d \m/ {{Cite journal |last1=Vanhoef |first1=Mathy |last2=Ronen |first2=Eyal |title=Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd |url=https://eprint.iacr.org/2019/383.pdf |journal=Institute of Electrical and Electronics Engineers}} Mathy Vanhoef, Eyal Ronen
• Lamest Vendor Response: Bitfi
• Most Over-hyped Bug: Allegations of Supermicro hardware backdoors, Bloomberg
• Most Under-hyped Bug: Thrangrycat, (Jatin Kataria, Red Balloon Security)

• Most Innovative Research: Spectre{{Cite journal |last1=Kocher |first1=Paul |last2=Horn |first2=Jann |last3=Fogh |first3=Anders |last4=Genkin |first4=Daniel |last5=Gruss |first5=Daniel |last6=Haas |first6=Werner |last7=Hamburg |first7=Mike |last8=Lipp |first8=Moritz |last9=Mangard |first9=Stefan |last10=Prescher |first10=Thomas |last11=Schwarz |first11=Michael |last12=Yarom |first12=Yuval |date=July 2020 |title=Spectre Attacks: Exploiting Speculative Execution |url=https://www.cs.cmu.edu/~18742/papers/spectre.pdf |journal=Communications of the ACM |volume=63 |issue=7 |pages=93–101 |doi=10.1145/3399742}}/Meltdown{{Cite journal |last1=Lipp |first1=Moritz |last2=Schwarz |first2=Michael |last3=Gruss |first3=Daniel |last4=Prescher |first4=Thomas |last5=Haas |first5=Werner |last6=Horn |first6=Jann |last7=Mangard |first7=Stefan |last8=Kocher |first8=Paul |last9=Genkin |first9=Daniel |last10=Yarom |first10=Yuval |last11=Hamburg |first11=Mike |last12=Strackx |first12=Raoul |date=22 May 2020 |title=Meltdown: reading kernel memory from user space |url=https://dl.acm.org/doi/10.1145/3357033 |journal=Communications of the ACM |volume=63 |issue=6 |pages=46–56 |doi=10.1145/3357033}} (Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom)
• Best Privilege Escalation Bug: Spectre/Meltdown (Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom)
• Lifetime Achievement: Michał Zalewski
• Best Cryptographic Attack: ROBOT - Return Of Bleichenbacher’s Oracle Threat {{Cite conference |last1=Böck |first1=Hanno |last2=Somorovsky |first2=Juraj |last3=Young |first3=Craig |date=15–17 August 2018 |title=Return Of Bleichenbacher's Oracle Threat (ROBOT) |url=https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-bock.pdf |conference=27th USENIX Security Symposium}} Hanno Böck, Juraj Somorovsky, Craig Young
• Lamest Vendor Response: Bitfi hardware crypto-wallet, after the "unhackable" device was hacked to extract the keys required to steal coins and rooted to play Doom.{{Cite web |last=Leyden |first=John |date=31 Aug 2018 |title=C'mon, if you say your device is 'unhackable', you're just asking for it: Bitfi retracts edgy claim |url=https://www.theregister.com/2018/08/31/bitfi_reluctantly_drops_unhackable_claim/ |website=The Register}}

• Epic Achievement: Federico Bento for Finally getting TIOCSTI ioctl attack fixed
• Most Innovative Research: ASLR on the line [https://pwnies.com/winners/#research "Pwnie for Most Innovative Research"], Pwnie Awards Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Bos, Cristiano Giuffrida
• Best Privilege Escalation Bug: DRAMMER [https://pwnies.com/winners/#bestprivesc "Pwnie for Best Privilege Escalation Bug"], Pwnie Awards Victor van der Veen, Yanick Fratantonio, Martina Lindorfer, Daniel Gruss, Clementine Maurice, Giovanni Vigna, Herbert Bos, Kaveh Razavi, Cristiano Giuffrida
• Best Cryptographic Attack: The first collision for full SHA-[https://eprint.iacr.org/2017/190 1] Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini, Yarik Markov
• Lamest Vendor Response: Lennart Poettering - for mishandling security vulnerabilities most spectacularly for multiple critical Systemd bugs[https://pwnies.com/systemd-bugs/ "The 2017 Pwnie Award For Lamest Vendor Response"], Pwnie Awards
• Best Song: Hello (From the Other Side)[https://www.youtube.com/watch?v=d_TmocWyEDY Hello (From the Other Side)] Manuel Weber, Michael Schwarz, Daniel Gruss, Moritz Lipp, Rebekka Aigner - Manuel Weber, Michael Schwarz, Daniel Gruss, Moritz Lipp, Rebekka Aigner

• Most Innovative Research: Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector {{Cite conference |last1=Bosman |first1=Erik |last2=Razavi |first2=Kaveh |last3=Bos |first3=Herbert |last4=Giuffrida |first4=Cristiano |date=2016 |title=Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector |url=https://www.ieee-security.org/TC/SP2016/papers/0824a987.pdf |conference=2016 IEEE Symposium on Security and Privacy}} Erik Bosman, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida
• Lifetime Achievement: Peiter Zatko aka Mudge
• Best Cryptographic Attack: DROWN attack{{Cite conference |last1=Avira |first1=Nimrod |last2=Schinzel |first2=Sebastian |last3=Somorovsky |first3=Juraj |last4=Heninger |first4=Nadia |last5=Dankel |first5=Maik |last6=Steube |first6=Jens |last7=Valenta |first7=Luke |last8=Adrian |first8=David |last9= |display-authors=1 |date=August 2016 |title=DROWN: Breaking TLS using SSLv2 |url=https://drownattack.com/drown-attack-paper.pdf |conference=25th USENIX Security Symposium}} Nimrod Aviram et al.
• Best Song: Cyberlier[https://www.youtube.com/watch?v=ZNeFHimR4lQ Cyberlier] Katie Moussouris - Katie Moussouris

Winner list from.{{cite web |last=Yasin |first=Rutrell |date=6 August 2015 |title='Will it Blend?' Earns Pwnie for Best Client Bug; OPM for Most Epic Fail |url=https://www.darkreading.com/vulnerabilities-threats/-will-it-blend-earns-pwnie-for-best-client-bug-opm-for-most-epic-fail |website=Dark Reading}}

• Best Server-Side Bug: SAP LZC LZH Compression Multiple Vulnerabilities, Martin Gallo
• Best Client–Side Bug: Will it BLEND?,{{Cite conference |last=Jurczyk |first=Mateusz |date=2015 |title=One font vulnerability to rule them all |url=https://j00ru.vexillium.org/slides/2015/recon.pdf |conference=REcon 2015, Montreal}} Mateusz j00ru Jurczyk
• Best Privilege Escalation Bug: UEFI SMM Privilege Escalation,{{cite web |last=Lewellen |first=Todd |date=22 Oct 2015 |title=UEFI EDK2 Capsule Update vulnerabilities: Vulnerability Note VU#552286 |url=https://www.kb.cert.org/vuls/id/552286 |website=kb.cert.org}} Corey Kallenberg
• Most Innovative Research: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice [https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice"], Adrian David et al. Adrian David et al.
• Lamest Vendor Response: Blue Coat Systems (for blocking Raphaël Rigo‘s research presentation at SyScan 2015)
• Most Overhyped Bug: Shellshock (software bug), Stephane Chazelas
• Most Epic FAIL: OPM - U.S. Office of Personnel Management (for losing data on 19.7 Million applicants for US government security clearances.)
• Most Epic 0wnage: China
• Best Song: "Clean Slate" by YTCracker
• Lifetime Achievement: Thomas Dullien aka Halvar Flake

• Best Server-Side Bug: Heartbleed (Neel Mehta and Codenomicon, CVE-2014-0160)
• Best Client-Side Bug: Google Chrome Arbitrary Memory Read Write Vulnerability, (Geohot, CVE-2014-1705)
• Best Privilege Escalation Bug: AFD.sys Dangling Pointer Vulnerability (Sebastian Apelt, CVE-2014-1767); the winner of Pwn2Own 2014.
• Most Innovative Research: [http://www.tau.ac.il/~tromer/acoustic/ RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis] (Daniel Genkin, Adi Shamir, Eran Tromer); extract RSA decryption keys from laptops within an hour by using the sounds generated by the computer.
• Lamest Vendor Response: AVG Remote Administration Insecure “By Design” (AVG)
• Best Song: [https://abad1dea.tumblr.com/post/66054805317/the-ssl-smiley-song-sing-it-with "The SSL Smiley Song"] ([https://twitter.com/0xabad1dea/ 0xabad1dea])
• Most Epic Fail: Goto Fail (Apple Inc.)
• Epic 0wnage: Mt. Gox, (Mark Karpelès)

• Best Server-Side Bug: Ruby on Rails YAML ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0156 CVE-2013-0156]) Ben Murphy
• Best Client-Side Bug: Adobe Reader Buffer Overflow and Sandbox Escape ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0641 CVE-2013-0641]) Unknown
• Best Privilege Escalation Bug: iOS incomplete codesign bypass and kernel vulnerabilities ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0977 CVE-2013-0977], [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0978 CVE-2013-0978], [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0981 CVE-2013-0981]) David Wang aka planetbeing and the evad3rs team
• Most Innovative Research: Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns{{Cite conference |last1=Jurczyk |first1=Mateusz |last2=Coldwind |first2=Gynvael |date=April 2013 |title=Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns |url=https://static.googleusercontent.com/media/research.google.com/pl//pubs/archive/42189.pdf |conference=The Symposium on Security for Asia Network |via=Google Inc.}} Mateusz "j00ru" Jurczyk, Gynvael Coldwind
• Best Song: "All the Things" Dual Core
• Most Epic Fail: Nmap: The Internet Considered Harmful - DARPA Inference Checking Kludge Scanning Hakin9{{Cite web|url=https://www.theregister.co.uk/2012/10/05/hakin9_silliness/|title=Experts troll 'biggest security mag in the world' with DICKish submission|last=at 09:31|first=John Leyden 5 Oct 2012|website=www.theregister.co.uk|language=en|access-date=2019-10-03}}
• Epic 0wnage: Joint award to Edward Snowden and the NSA
• Lifetime Achievement: Barnaby Jack

The award for best server-side bug went to Sergey Golubchik for his MySQL authentication bypass flaw. Two awards for best client-side bug were given to Sergey Glazunov and Pinkie Pie for their Google Chrome flaws presented as part of Google's Pwnium contest.{{cite web |url= http://securitywatch.pcmag.com/none/300756-and-your-2012-pwnie-award-winners-are |title= And Your 2012 Pwnie Award Winners Are... |first= Sara|last= Yin |date= July 26, 2012 |work= SecurityWatch |publisher= PCMag |access-date=January 8, 2013}}{{cite web |url= http://www.internetnews.com/blog/skerner/black-hat-pwnie-awards-go-to-flame-for-epic-pwnage-and-f5-for-epic-fail.html |title= Black Hat: Pwnie Awards Go to Flame for Epic pwnage and F5 for epic fail |author= Sean Michael Kerner |date= July 25, 2012 |publisher= InternetNews.com |access-date=January 8, 2013}}

The award for best privilege escalation bug went to Mateusz Jurczyk ("j00ru") for a vulnerability in the Windows kernel that affected all 32-bit versions of Windows. The award for most innovative research went to Travis Goodspeed for a way to send network packets that would inject additional packets.

The award for best song went to "Control" by nerdcore rapper Dual Core. A new category of award, the "Tweetie Pwnie Award" for having more Twitter followers than the judges, went to MuscleNerd of the iPhone Dev Team as a representative of the iOS jailbreaking community.

The "most epic fail" award was presented by Metasploit creator HD Moore to F5 Networks for their static root SSH key issue, and the award was accepted by an employee of F5, unusual because the winner of this category usually does not accept the award at the ceremony. Other nominees included LinkedIn (for its data breach exposing password hashes) and the antivirus industry (for failing to detect threats such as Stuxnet, Duqu, and Flame).

The award for "epic 0wnage" went to Flame for its MD5 collision attack, recognizing it as a sophisticated and serious piece of malware that weakened trust in the Windows Update system.{{cite web |url= http://www.pcworld.com/article/259916/flames_windows_update_hack_wins_pwnie_award_for_epic_ownage_at_black_hat.html |title= Flame's Windows Update Hack Wins Pwnie Award for Epic Ownage at Black Hat |first= Lucian|last= Constantin |date= July 26, 2012 |work= IDG-News-Service |publisher= PCWorld |access-date=January 8, 2013}}

• Best Server-Side Bug: ASP.NET Framework Padding Oracle ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3332 CVE-2010-3332]) Juliano Rizzo, Thai Duong
• Best Client-Side Bug: FreeType vulnerability in iOS ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0226 CVE-2011-0226]) Comex{{cite web |url= http://www.informationweek.com/security/attacks/pwnie-award-highlights-sony-epic-fail-an/231300255 |title= Pwnie Award Highlights: Sony Epic Fail And More |last1= Schwartz |first1= Mathew J. |date= August 4, 2011 |publisher= InformationWeek |access-date=January 3, 2013}}
• Best Privilege Escalation Bug: Windows kernel win32k user-mode callback vulnerabilities{{Cite conference |last=Mandt |first=Tarjei |date=2011 |title=Kernel Attacks through User-Mode Callbacks |url=https://media.blackhat.com/bh-us-11/Mandt/BH_US_11_Mandt_win32k_WP.pdf |conference=Black Hat USA 2011 |via=Norman Threat Research}} ([https://technet.microsoft.com/en-us/security/bulletin/ms11-034 MS11-034]) Tarjei Mandt
• Most Innovative Research: Securing the Kernel via Static Binary Rewriting and Program Shepherding{{Citation |last=Bania |first=Piotr |title=Securing The Kernel Via Static Binary Rewriting, Program Shepherding and Partial Control Flow Integrity |date=2011 |url=https://www.piotrbania.com/all/articles/pbania-securing-the-kernel2012_UPDATE.pdf}} Piotr Bania
• Lifetime Achievement: pipacs/PaX Team
• Lamest Vendor Response: RSA SecurID token compromise RSA
• Best Song: "[The Light It Up Contest]" Geohot
• Most Epic Fail: Sony
• Pwnie for Epic 0wnage: Stuxnet

• Best Server-Side Bug: Apache Struts2 framework remote code execution ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1870 CVE-2010-1870]) Meder Kydyraliev
• Best Client-Side Bug: Java Trusted Method Chaining ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0840 CVE-2010-0840]) Sami Koivu
• Best Privilege Escalation Bug: Windows NT #GP Trap Handler ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0232 CVE-2010-0232]) Tavis Ormandy
• Most Innovative Research: Flash Pointer Inference and JIT Spraying{{Citation |title=Interpreter Exploitation: Pointer Inference and JIT Spraying |date=2010 |url=http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Slides-v2.pdf}}. Dionysus Blazakis
• Lamest Vendor Response: LANrev remote code execution Absolute Software
• Best Song: "[https://www.reverbnation.com/heavypennies/song/4597167-pwned Pwned - 1337 edition]" Dr. Raid and Heavy Pennies
• Most Epic Fail: Microsoft Internet Explorer 8 XSS filter Eduardo Vela Nava and David Lindsay

• Best Server-Side Bug: Linux SCTP FWD Chunk Memory Corruption ({{CVE|2009-0065}}) David 'DK2' Kim
• Best Privilege Escalation Bug: Linux udev Netlink Message Privilege Escalation ({{CVE|2009-1185}}) Sebastian Krahmer
• Best Client-Side Bug: msvidctl.dll MPEG2TuneRequest Stack buffer overflow ([http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0015 CVE-2008-0015]) Ryan Smith and Alex Wheeler
• Mass 0wnage: Red Hat Networks Backdoored OpenSSH Packages ({{CVE|2008-3844}}) Anonymous{{cite web |url= https://www.forbes.com/2009/07/30/pwnie-twitter-blackhat-technology-security-pwnie.html |title= Twitter Gets 'Pwned' Again |last1= Buley |first1= Taylor |date= July 30, 2009 |work= Forbes |access-date= January 3, 2013 |archive-url= https://archive.today/20130216024731/http://www.forbes.com/2009/07/30/pwnie-twitter-blackhat-technology-security-pwnie.html |archive-date= February 16, 2013 |url-status= dead }}
• Best Research: From 0 to 0day on Symbian Credit: Bernhard Mueller
• Lamest Vendor Response: Linux "Continually assuming that all kernel memory corruption bugs are only Denial-of-Service" Linux Project{{cite web |url= http://www.networkworld.com/news/2009/073109-black-hat-pwnie-awards.html |title= Twitter, Linux, Red Hat, Microsoft "honored" with Pwnie Awards |last1= Brown |first1= Bob |date= July 31, 2009 |publisher= NetworkWorld |access-date= January 3, 2013 |archive-url= https://web.archive.org/web/20090805171646/http://www.networkworld.com/news/2009/073109-black-hat-pwnie-awards.html |archive-date= August 5, 2009 |url-status= dead }}
• Most Overhyped Bug: MS08-067 Server Service NetpwPathCanonicalize() Stack Overflow ({{CVE|2008-4250}}) Anonymous
• Best Song: Nice Report Doctor Raid
• Most Epic Fail: Twitter Gets Hacked and the "Cloud Crisis" Twitter
• Lifetime Achievement Award: Solar Designer

• Best Server-Side Bug: Windows IGMP Kernel Vulnerability ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0069 CVE-2007-0069]) Alex Wheeler and Ryan Smith
• Best Client-Side Bug: Multiple URL protocol handling flaws Nate McFeters, Rob Carter, and Billy Rios
• Mass 0wnage: An unbelievable number of WordPress vulnerabilities
• Most Innovative Research: Lest We Remember: Cold Boot Attacks on Encryption Keys (honorable mention was awarded to Rolf Rolles for work on virtualization obfuscators) J. Alex Halderman, Seth Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph Calandrino, Ariel Feldman, Rick Astley, Jacob Appelbaum, Edward Felten
• Lamest Vendor Response: McAfee's "Hacker Safe" certification program{{cite web |url= http://www.technologyreview.com/view/410571/black-hats-pwnie-awards/ |title= Black Hat's Pwnie Awards |last1= Naone |first1= Erica |date= August 7, 2008 |publisher= MIT Technology Review |access-date=January 3, 2013}}
• Most Overhyped Bug: Dan Kaminsky's DNS Cache Poisoning Vulnerability ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 CVE-2008-1447])
• Best Song: [https://www.youtube.com/watch?v=bHxyHlFZ778 Packin' the K!] by Kaspersky Labs
• Most Epic Fail: Debian's flawed OpenSSL Implementation (CVE-2008-0166)
• Lifetime Achievement Award: Tim Newsham

• Best Server-Side Bug: Solaris in.telnetd remote root exploit ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0882 CVE-2007-0882]), Kingcope
• Best Client-Side Bug: Unhandled exception filter chaining vulnerability ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3648 CVE-2006-3648]) skape & skywing
• Mass 0wnage: WMF SetAbortProc remote code execution ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4560 CVE-2005-4560]) anonymous
• Most Innovative Research: Temporal Return Addresses, skape
• Lamest Vendor Response: OpenBSD IPv6 mbuf kernel buffer overflow ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1365 CVE-2007-1365]){{cite web |url= http://www.zdnet.com/blog/security/openbsd-team-mocked-at-first-ever-pwnie-awards/418 |archive-url= https://archive.today/20130217023941/http://www.zdnet.com/blog/security/openbsd-team-mocked-at-first-ever-pwnie-awards/418 |url-status= dead |archive-date= February 17, 2013 |title= OpenBSD team mocked at first ever 'Pwnie' awards |last1= Naraine |first1= Ryan |date= August 2, 2007 |publisher= ZDNet |access-date=January 3, 2013}}
• Most Overhyped Bug: MacBook Wi-Fi Vulnerabilities, David Maynor
• Best Song: Symantec Revolution, Symantec

• [http://pwnies.com The Pwnie Awards]

{{DEFAULTSORT:Pwnie Award}}

Category:Computer security

Category:Ironic and humorous awards