More Pwn2Own

Following up on one of your classmates comments regarding the recent Pwn2Own competition at the CanSecWest Conference I thought it would be useful to provide links to Ryan Naraine's interviews with two of the competitors Charlie Miller and Nils.

Its particularly interesting to note Nils and Miller's contrasting views on security research. Nils stated,

Vulnerabilities are only valued highly by companies or organizations who aren’t interested in getting them fixed. I don’t want to participate in that. I like to see my bugs gets fixed. During the two days [at CanSecWest], I was able to sit with vendors like Microsoft and Mozilla to work on getting these things fixed. I’m not interested in selling bugs to strange organizations. Those are the people paying high prices but they’re also not interested in getting them fixed.

In contrast Miller stated,

I never give up free bugs. I have a new campaign. It’s called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away. Apple pays people to do the same job so we know there’s value to this work. No more free bugs.

There is also fascinating detail in these interviews regarding the vulnerability discovery and exploit creation process of security research. For those of you interested in the technical aspects of security research I highly recommend reading these interviews.