How it all began
More than just a competition, Pwn2Own is a proving ground for innovation and a powerful reminder of the high stakes in security. It exposes vulnerabilities in commonly used devices and software, serving as a critical checkpoint for cybersecurity advancements since the previous year’s event.
Since its inception at the 2007 CanSecWest security conference in Vancouver, Canada, Pwn2Own has grown significantly and now features 3 events annually.
The evolution of Pwn2Own: reaping the rewards
Pwn2Own has grown from a small contest with $10,000 prizes to the world’s most prestigious hacking competition, awarding over $1 million per event. Its evolving rules mirror the shifting threat landscape, expanding to cover browsers, operating systems, servers, and, since 2019, automobiles. This prominence has enabled Trend’s Zero Day Initiative™ (ZDI) to engage with top researchers worldwide.
Pwn2Own’s disclosure process is one of the best forums for vendors and researchers to collaborate directly, discussing vulnerabilities in real time. This prominence has enabled us to engage with top researchers worldwide.
Pwn2Own 2025
Fall 2025
Exciting events are coming
We’re getting things together and working on something big. Stay tuned and check back soon for all the details—you won’t want to miss it!
May 2025
Pwn2Own Berlin
Pwn2Own lands in Berlin, Germany this May with new challenges for the world’s top security researchers. This year, we’re introducing an AI category, pushing beyond prompt injection to full code execution on AI frameworks. The Tesla category also returns, with researchers targeting the latest vehicle systems, including the 2024 Model 3 and 2025 Model Y. With $1,000,000+ in prizes and categories spanning web browsers, cloud security, enterprise applications, and more, the competition continues to evolve with the security landscape.
January 2025
A look back at Pwn2Own Automotive 2025
Did you hear about the ultimate challenge for automotive cybersecurity at Pwn2Own Automotive 2025? It brought together top talent to showcase their skills to industry leaders while driving innovation to make vehicles safer for everyone. The event offered a platform for groundbreaking contributions and the chance to win cash prizes, trophies, and global recognition. We awarded $886,250 for 49 unique 0-days, including research into EV chargers that had never been publicly demonstrated before. Sina Kheirkhah won Master of Pwn with $222,250 total earned.
The full picture: Pwn2Own throughout the years since its 2007 launch
Pwn2Own Automotive 2025
Held January 22-24 in Tokyo, the event brought together some of the best researchers in the world to test the latest automotive components. Key partners included the innovation giants VicOne and Tesla.
Pwn2Own Ireland 2024
Held at Trend Micro's offices in Cork, Ireland, the 2024 event introduced new categories, including the Meta-sponsored WhatsApp category, which offered potential earnings of up to $300,000. Additionally, AI-enabled devices were featured for the first time, covering smartphones, NAS systems, and cameras with AI capabilities. Over 4 days, we awarded over $1 million for 70+ 0-day vulnerabilities and crowned Viettel Cyber Security as Master of Pwn.
Pwn2Own Vancouver 2024
Pwn2Own returned to the CanSecWest conference in Vancouver, Canada, to highlight the latest exploits in enterprise servers and applications. In total, we awarded $1,132,500 for 29 unique 0-days. Manfred Paul was crowned the Master of Pwn. He won $202,500 and 25 points total by exploiting all four browsers during the competition (Chrome, Edge, Safari, and Firefox). This event also introduced Docker as a target, and the team from STAR Labs SG combined two bugs to execute their container escape. Valentina Palmiotti used an Improper Update of Reference Count bug to escalate privileges on Windows 11. This was later awarded the “Best Privilege Escalation” at the 2024 Pwnie Awards. Other highlights included Oracle VirtualBox exploits and privilege escalations on all major OSes.
Pwn2Own Automotive 2024
The inaugural Pwn2Own Automotive broadcasted live from Tokyo at the Automotive World conference. The response has exceeded our expectations, with over 45 entries spanning all categories. We awarded $1,323,750 throughout the event and discovered 49 unique zero-days.
Pwn2Own Toronto 2023
The consumer edition of Pwn2Own returned to Trend’s Toronto offices, featuring targets like mobile phones, surveillance systems, and small office setups. The event drew significant attention, with vendors making last-minute security pushes and researchers demonstrating high-impact exploits. Synacktiv showcased a zero-click exploit on the Wyze camera, while a successful attack on the Xiaomi 13 Pro led Xiaomi to disable parts of its global network. In total, $1,038,500 was awarded for 58 unique 0-days, with Team Viettel earning the title of Master of Pwn with $180,000 and 30 points.
Pwn2Own Vancouver 2023
At CanSecWest, Pwn2Own disclosed 27 zero-days and awarded $1,035,000 and a Tesla Model 3. Tesla exploits targeted the Gateway and multiple subsystems, gaining root access. SharePoint and macOS on M2 were also compromised, with wide-reaching Windows vulnerabilities uncovered. Synacktiv won Master of Pwn with $530,000, 53 points, and the Tesla Model 3.
Pwn2Own Miami 2023
The ICS/SCADA contest returned to the S4 conference in Miami Beach, Florida, disclosing 27 zero-days across 10 products from 16 entries. For the first time, AI played a role, with Claroty using ChatGPT in a six-exploit chain targeting Softing Secure Integration Server. Awards totaled $153,500, and Team 82 for Claroty claimed Master of Pwn with $98,500.
Pwn2Own Toronto 2022
The first Toronto Pwn2Own, hosted at Trend Micro’s offices, became the largest event in history, with 66 entries from 36 teams targeting 13 products. Awards totaled $989,750 for 63 zero-days. Highlights included the SOHO Smashup category, Samsung Galaxy S22 exploits, and a Lexmark printer turned jukebox. DEVCORE won Master of Pwn with $142,500.
Pwn2Own Vancouver 2022
Pwn2Own’s 15th anniversary in Vancouver awarded $1,155,000 for 25 zero-days. Day One set a $800,000 record, including Microsoft Teams exploits. Day Two featured Tesla Infotainment hacks, while Day Three saw Windows 11 privilege escalations. STAR Labs earned the Master of Pwn title with $270,000 and 27 points.
Pwn2Own Miami 2022
The second edition of Pwn2Own Miami, Florida, took place from April 19-21, 2022, at the Fillmore in South Beach, Miami. Over the three-day contest, contestants won $400,000 for 26 unique 0-days. The team of Daan Keuper and Thijs Alkemade from Computest Sector 7 were awarded Master of Pwn, earning $90,000. Daan Keuper and Thijs Alkemade showcased a highlight of the contest by bypassing the trusted application check on the OPC Foundation OPC UA .NET Standard.
Pwn2Own Austin 2021
With continued travel restrictions, the consumer version of Pwn2Own occurred at Trend ZDI’s headquarters in Austin, Texas. This event attracted much attention from the research community and turned out to be the largest event in Pwn2Own history, including 58 separate entries from over 22 different teams targeting 13 different products. Ultimately, we awarded $1,081,250 for 61 unique 0-day vulnerabilities – the second largest payout in Pwn2Own History. A standout moment featured an exploit turning an HP printer into a jukebox, playing AC/DC’s Thunderstruck through its internal speaker.
Pwn2Own Vancouver 2021 (From Austin with Love)
From April 6-8, 2021, the Pwn2Own contest was held in Austin, Texas, and virtually. This year introduced the Enterprise Communications category, featuring Microsoft Teams and Zoom Messenger. On the first day, Apple Safari, Microsoft Exchange, Microsoft Teams, Windows 10, and Ubuntu were all compromised. Zoom Messenger fell to a zero-click exploit on day two, with Parallels Desktop, Google Chrome, and Microsoft Edge also successfully exploited. The contest awarded over $1,200,000 for 23 unique zero-days. The Master of Pwn title was shared in a three-way tie between Team DEVCORE, OV, and Daan Keuper and Thijs Alkemade.
Pwn2Own Tokyo (Live from Toronto) 2020
With the continued lockdown from COVID-19, the PacSec conference was again held virtually. The event was live streamed on Twitch and YouTube, while interviews and older videos filling in the gap between attempts. This contest also saw the inclusion of storage area network (SAN) servers as a target. The contest awarded $136,500 for 23 unique bugs. Pedro Ribeiro and Radek Domanski earned the Master of Pwn title with two successful SAN exploits.
Pwn2Own Vancouver 2020
Due to COVID-19, the event was held virtually, enabling researchers to submit their exploits ahead of time. Trend ZDI researchers executed the exploits from home, recording both the screen and a Zoom call with the contestants. Over 2 days, 6 successful demonstrations were awarded $270,000, with 13 unique bugs purchased in Adobe Reader, Apple Safari and macOS, Microsoft Windows, and Oracle VirtualBox. As a special highlight, Trend ZDI researcher Lucas Leong showcased an unpatched Oracle VirtualBox bug. Amat Cama and Richard Zhu earned the Master of Pwn title with $90,000 in winnings.
Pwn2Own Miami 2020
Hosted at the S4 conference, the first-ever Pwn2Own in Miami focused on Industrial Control Systems (ICS). Researchers targeted multiple categories, including Control Servers, OPC Unified Architecture (OPC UA) Servers, DNP3 Gateways, Human Machine Interfaces (HMI), and Engineering Workstation Software (EWS). 8 competitor groups successfully exploited at least one target in every category. Over $280,000 in cash and prizes was awarded, with more than two dozen zero-day vulnerabilities purchased. Steven Seeley and Chris Anastasio earned the Master of Pwn title with $80,000 in winnings.
Pwn2Own Tokyo 2019
Facebook was included, bringing their Oculus Quest VR system to the contest. We also expanded the contest to include more IoT devices, such as smart speakers, televisions, and wireless routers. Overall, we awarded more than $315,000 total over the two-day contest while purchasing 18 different bugs in the various products. With $195,000 and 18.5 points, the Fluoroacetate duo of Richard Zhu and Amat Cama retained their title of Master of Pwn – their third in a row.
Pwn2Own Vancouver 2019
Partnering with us, Tesla featured a Model 3 in the contest, offering 6 focal points for in-scope research. This addition joined traditional categories like web browsers, virtualization software, enterprise applications, and Windows RDP. Over three days, Trend ZDI awarded $545,000 for 19 unique vulnerabilities. Amat Cama and Richard Zhu claimed the Master of Pwn title, earning $375,000 and the Model 3.
Pwn2Own Tokyo 2018
We added IoT targets to the contest and rebranded it from Mobile Pwn2Own to Pwn2Own Tokyo. Although smart speakers, web cameras, and smart watches were included in the contest, none of these devices were targeted. The contest awarded $325,000 total while purchasing 18 0-day bug reports. Scoring 45 points and $215,000, Amat Cama and Richard Zhu earned the title Master of Pwn.
Pwn2Own 2018
Trend ZDI partnered with Microsoft welcoming VMware as a sponsor for 5 categories of targets: virtualization, web browsers, enterprise applications, servers, and a special Windows Insider Preview Challenge category. Corporate-sponsored team participation declined, as the Chinese teams were no longer allowed to participate. The contest awarded $267,000 for a dozen 0-day exploits and crowned Richard Zhu (fluorescence) as the Master of Pwn.
Mobile Pwn2Own 2017 (Tokyo, Japan)
As our largest mobile contest ever, we purchased a total of 32 unique bugs during the contest as contestant earners $515,000 in prizes. Tencent Keen Security Lab was crowned Master of Pwn with 44 points. This was the first contest where withdrawing from an attempt incurred negative points towards Master of Pwn.
Pwn2Own 2017
The tenth anniversary of the contest was the busiest ever as Trend ZDI spent $833,000 acquiring 51 different 0-day bugs. The high number of submissions required two tracks on Day 2 to accommodate all entries. This contest also saw two successful guest-to-host OS elevations in VMware. The team of 360 Security won Master of Pwn scoring 63 total points. This year teams submitted bugs ahead of the contest in a strategic effort to knock out their competitors' vulnerabilities.
Mobile Pwn2Own 2016 (Tokyo, Japan)
The contest returned to Tokyo with the iPhone 6s, Google Nexus 6p, and the Galaxy S7 as targets. All were exploited as the contest awarded $375,000 in total. Tencent Keen Security Lab Team was awarded the title of Master of Pwn with total winnings of $210,000 and 45 points.
Pwn2Own 2016
This year saw the introduction of the Master of Pwn – the title of the overall winner of Pwn2Own. Since the order of the contest is decided by a random draw, contestants with an unlucky draw could present great research, but receive less money since subsequent rounds go down in value. However, the points awarded for each successful entry do not go down. Someone could have an unlucky draw and still accumulate the most points. The team from Tencent Security Team Sniper claimed the first Master of Pen title with 38 points. Overall, the contest awarded $460,000 in total for 21 vulnerabilities.
Mobile Pwn2Own 2015
The team took a year off to determine how best to process the submissions while being compliant with the Wassanaar Arrangement.
Pwn2Own 2015
The difficulty level significantly increased at the 2015 contest as the “unicorn” prize from 2014 became the standard for all Windows targets. Successful exploits needed to evade Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) on all Windows targets, achieve SYSTEM-level code execution (with a $25,000 bonus), and target 64-bit browsers with Enhanced Protected Mode (EPM) enabled.
Mobile Pwn2Own 2014 (Tokyo, Japan)
Our biggest mobile event yet, where seven phones were targeted by seven different teams. All were successfully exploited.
Pwn2Own 2014
2 record-setting days of payouts brought Pwn2Own near its first million-dollar competition, awarding $850,000 to 8 entrants, with $385,000 in prizes left unclaimed. The Pwn4Fun contest between Google and Trend ZDI raised $82,500 for charity, while the $150,000 Exploit Unicorn grand prize—created to challenge top researchers—went unclaimed.
Mobile Pwn2Own 2013 (Tokyo, Japan)
The contest was brought to Asia for the first time, and the scope expanded to include Bluetooth, WiFi, and USB-based attacks. Prizes ranged from $50,000 to $100,000, totaling $300,000. Contestants from Japan and China joined U.S. participants for the first time, with total winnings reaching $117,500.
Pwn2Own 2013
Expanded the focus beyond vulnerabilities in the web browser to include plug-ins. The prize pool was $560,000, with individual prizes ranging from $20,000 to $100,000. Contestants won $320,000.
Mobile Pwn2Own 2012 (Amsterdam, Netherlands)
Held in Europe for the first time, the contest introduced new rules focused on mobile devices only, offering prizes ranging from $30,000 to $100,000 (for a cellular base-band attack). 2 groups of researchers successfully competed, winning a total of $60,000.
Pwn2Own 2012
The competition adopted a capture-the-flag format with a point system for exploits targeting the latest versions of IE, Firefox, Safari, and Chrome. Prizes of $60,000, $30,000, and $15,000 were awarded to first, second, and third place, respectively.
Pwn2Own 2011
Google entered as co-sponsor for Chrome only with a prize pool of $125,000. Non-Chrome categories offered $15,000 each. Contestants claimed $60,000 overall, but no one attempted a Chrome exploit.
Pwn2Own 2010
Contestants earned a total of $45,000, with $10,000 awarded for each web target and $15,000 for each mobile target.
Pwn2Own 2008-09
The scope of the Pwn2Own contest was expanded to include a wider array of operating systems and browsers. Trend ZDI ran the contest and agreed to buy all successfully demonstrated vulnerabilities, awarding prizes ranging from $5,000 to $20,000 per vulnerability. Contestants won $15,000 in 2008 and $20,000 in 2009.
Pwn2Own 2007
Initiated by CanSecWest founder Dragos Ruiu, the inaugural contest highlighted the insecurity of Apple's Mac OS X operating system. At the time, there was a popular belief that OS X was far more secure than its competitors. Initially, only the laptops were offered as prizes. However, on the first day of the conference, the Trend ZDI was asked to participate and offered to purchase any vulnerabilities used in the contest for a flat price of $10,000 USD.