The Pwnie Awards recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations collected from the information security community. The awards are presented yearly at the Black Hat Security Conference.
The name Pwnie Award is based on the word "pwn", which is hacker slang meaning "to compromise" or to "control" based on the previous usage of the word "own" (and it is pronounced similarly). The name "The Pwnie Awards" is meant to sound like The Tony Awards, an awards ceremony for Broadway Theater in New York City.
The Pwnie Awards were founded in 2007 by Alexander Sotirov and Dino Dai Zovi following discussions regarding Dino's discovery of a cross-platform QuickTime vulnerability and Alexander's discovery of an ANI file processing vulnerability in Internet Explorer.
Pwnie for Most Epic FAIL: OPM - U.S. Office of Personnel ManagementThe award for best server-side bug went to the security researchers who discovered Heartbleed, and best client-side bug went to George Hotz for finding a bug in Chrome OS. The "most epic fail" award went to Apple for its goto fail bug in iOS and OS X.
Best Server-Side Bug: Ruby on Rails YAML (CVE-2013-0156) Ben MurphyBest Client-Side Bug: Adobe Reader Buffer Overflow and Sandbox Escape (CVE-2013-0641) UnknownBest Privilege Escalation Bug: iOS incomplete codesign bypass and kernel vulnerabilities (CVE-2013-0977, CVE-2013-0978, CVE-2013-0981) David Wang aka planetbeing and the evad3rs teamMost Innovative Research: Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns Mateusz "j00ru" Jurczyk, Gynvael ColdwindBest Song: "All the Things" Dual CoreMost Epic Fail: Nmap: The Internet Considered Harmful - DARPA Inference Checking Kludge Scanning Hakin9Epic 0wnage: Joint award to Edward Snowden and the NSALifetime Achievement: Barnaby JackThe award for best server-side bug went to Sergey Golubchik for his MySQL authentication bypass flaw. Two awards for best client-side bug were given to Sergey Glazunov and Pinkie Pie for their Google Chrome flaws presented as part of Google's Pwnium contest.
The award for best privilege escalation bug went to Mateusz Jurczyk ("j00ru") for a vulnerability in the Windows kernel that affected all 32-bit versions of Windows. The award for most innovative research went to Travis Goodspeed for a way to send network packets that would inject additional packets.
The award for best song went to "Control" by nerdcore rapper Dual Core. A new category of award, the "Tweetie Pwnie Award" for having more Twitter followers than the judges, went to MuscleNerd of the iPhone Dev Team as a representative of the iOS jailbreaking community.
The "most epic fail" award was presented by Metasploit creator HD Moore to F5 Networks for their static root SSH key issue, and the award was accepted by an employee of F5, unusual because the winner of this category usually does not accept the award at the ceremony. Other nominees included LinkedIn (for its data breach exposing password hashes) and the antivirus industry (for failing to detect threats such as Stuxnet, Duqu, and Flame).
The award for "epic 0wnage" went to Flame for its MD5 collision attack, recognizing it as a sophisticated and serious piece of malware that weakened trust in the Windows Update system.
Best Server-Side Bug: ASP.NET Framework Padding Oracle (CVE-2010-3332) Juliano Rizzo, Thai DuongBest Client-Side Bug: FreeType vulnerability in iOS (CVE-2011-0226) ComexBest Privilege Escalation Bug: Windows kernel win32k user-mode callback vulnerabilities (MS11-034) Tarjei MandtMost Innovative Research: Securing the Kernel via Static Binary Rewriting and Program Shepherding Piotr BaniaLifetime Achievement: pipacs/PaX TeamLamest Vendor Response: RSA SecurID token compromise RSABest Song: "[The Light It Up Contest]" GeohotMost Epic Fail: SonyPwnie for Epic 0wnage: StuxnetBest Server-Side Bug: Apache Struts2 framework remote code execution (CVE-2010-1870) Meder KydyralievBest Client-Side Bug: Java Trusted Method Chaining (CVE-2010-0840) Sami KoivuBest Privilege Escalation Bug: Windows NT #GP Trap Handler (CVE-2010-0232) Tavis OrmandyMost Innovative Research: Flash Pointer Inference and JIT Spraying Dionysus BlazakisLamest Vendor Response: LANrev remote code execution Absolute SoftwareBest Song: "Pwned - 1337 edition" Dr. Raid and Heavy PenniesMost Epic Fail: Microsoft Internet Explorer 8 XSS filterBest Server-Side Bug: Linux SCTP FWD Chunk Memory Corruption (CVE-2009-0065) David 'DK2' KimBest Privilege Escalation Bug: Linux udev Netlink Message Privilege Escalation (CVE-2009-1185) Sebastian KrahmerBest Client-Side Bug: msvidctl.dll MPEG2TuneRequest Stack buffer overflow (CVE-2008-0015) Ryan Smith and Alex WheelerMass 0wnage: Red Hat Networks Backdoored OpenSSH Packages (CVE-2008-3844) AnonymousBest Research: From 0 to 0day on Symbian Credit: Bernhard MuellerLamest Vendor Response: Linux "Continually assuming that all kernel memory corruption bugs are only Denial-of-Service" Linux ProjectMost Overhyped Bug: MS08-067 Server Service NetpwPathCanonicalize() Stack Overflow (CVE-2008-4250) AnonymousBest Song: Nice Report Doctor RaidMost Epic Fail: Twitter Gets Hacked and the "Cloud Crisis" TwitterLifetime Achievement Award: Solar DesignerBest Server-Side Bug: Windows IGMP Kernel Vulnerability (CVE-2007-0069) Alex Wheeler and Ryan SmithBest Client-Side Bug: Multiple URL protocol handling flaws Nate McFeters, Rob Carter, and Billy RiosMass 0wnage: An unbelievable number of WordPress vulnerabilitiesMost Innovative Research: Lest We Remember: Cold Boot Attacks on Encryption Keys (honorable mention was awarded to Rolf Rolles for work on virtualization obfuscators) J. Alex Halderman, Seth Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph Calandrino, Ariel Feldman, Rick Astley, Jacob Appelbaum, Edward FeltenLamest Vendor Response: McAfee's "Hacker Safe" certification programMost Overhyped Bug: Dan Kaminsky's DNS Cache Poisoning Vulnerability (CVE-2008-1447)Best Song: Packin' the K! by Kaspersky LabsMost Epic Fail: Debian's flawed OpenSSL Implementation (CVE-2008-0166)Lifetime Achievement Award: Tim NewshamBest Server-Side Bug: Solaris in.telnetd remote root exploit (CVE-2007-0882), KingcopeBest Client-Side Bug: Unhandled exception filter chaining vulnerability (CVE-2006-3648) skape & skywingMass 0wnage: WMF SetAbortProc remote code execution (CVE-2005-4560) anonymousMost Innovative Research: Temporal Return Addresses, skapeLamest Vendor Response: OpenBSD IPv6 mbuf kernel buffer overflow (CVE-2007-1365)Most Overhyped Bug: MacBook Wi-Fi Vulnerabilities, David MaynorBest Song: Symantec Revolution, Symantec