Software vendors got some bad news over the weekend. ZDNet reported that Chinese hackers demonstrated exploits in major browsers, common utilities and other apps during the Tianfu Cup hacking competition held in Chengdu.
China has officially "discouraged" security researchers from participating in hacking competitions outside the country since at least March 2018. Tianfu Cup gives those hackers a place to demonstrate their skills--and earn six-figure bounties for successful exploits--without risking the government's ire by competing abroad.
ZDNet reported that former Pwn2Own winner Team 360Vulcan earned $382,500 for hacking the old version of Microsoft Edge, Office 365, Adobe PDF Reader, qemu+Ubuntu and VMWare Workstation across the two days of competition. Some $200,000 of that came from the VMWare exploit; another $80,000 came from the qemu+Ubuntu exploit. The remaining $102,500 was split among the other apps.
Team 360Vulcan wasn't successful in all its attempts. An exploit targeting iOS that was supposed to close out the competition reportedly didn't go as planned. Both days of competition were a bit of a mixed bag, actually, with roughly half of the exploits working as intended (that's 13 of the planned 32 for the first day and seven of the planned 16 for the second day). Maybe there's solace to be found there.
Teams also demonstrated successful exploits in Chrome, Safari and the D-Link DIR-878 router during the Tianfu Cup's two-day competition. Earnings varied based on the severity of the vulnerability and the company that made the product. And don't worry, because the competition's organizers told ZDNet that all teams plan to reveal details about the exploited vulnerabilities to the affected companies after the event.
It would be easy to demonize events like this. Some of these products are used by hundreds of millions of people; undermining their security for sport might seem a bit strange. But these competitions help incentivize ongoing research into these products that companies then use to make them even more secure. It's better to have public displays of security exploits than to for them to be used secretly with malicious intent.
