THE MOBILE PWN2OWN CONTEST ("CONTEST") IS CONDUCTED IN TOKYO, JAPAN ONLY AND SHALL BE CONSTRUED AND EVALUATED ACCORDING TO APPLICABLE JAPANESE LAW. VOID IN WHOLE OR PART WHERE PROHIBITED BY LAW. ENTRY IN THIS CONTEST CONSTITUTES ACCEPTANCE OF THESE CONTEST RULES (THE "CONTEST RULES"). HEWLETT-PACKARD, COMPANY ("HP") IS THE SPONSOR OF THIS CONTEST ("SPONSOR").
Employees of HP, Google Inc. ("Google") and BlackBerry Limited (“BlackBerry”) and their respective affiliates, subsidiaries, related companies, advertising and promotional agencies, and the household members of any of the above are not eligible to participate in the Contest.
Contestants must be 18 years of age or older at the time of registration in order to participate and may not be a resident of any U.S. embargoed or sanctioned country or otherwise be listed on any U.S. denied or barred persons list.
Sponsor shall have the right at any time to require proof of identity and/or eligibility to participate in the Contest. Failure to provide such proof may result in disqualification. All personal and other information requested by and supplied to the Sponsor for the purpose of the Contest must be truthful, complete, accurate, and in no way misleading. The Sponsor reserves the right, in its sole discretion, to disqualify any contestant should such contestant at any stage supply untruthful, incomplete, inaccurate, or misleading personal details and/or information.
2. CONTEST PERIOD.
The Contest will be held November 13th – 14th, 2013, during the PacSec 2013 Conference in Tokyo, Japan.
3. HOW TO ENTER.
This Contest is open to all registrants in the PacSec 2013 Conference, subject to the eligibility requirements herein. Contestants may also assign a proxy to participate in the contest on their behalf if they are unable to attend the conference; however, the proxy must be in attendance at the conference and both the contestant and the proxy must also meet all of the requirements and comply with these Contest Rules. No purchase is required to participate in the Contest.
All contestants must sign up for a Zero Day Initiative ("ZDI") Researcher account in order to participate. Sign up is free and can be completed at https://www.zerodayinitiative.com/portal/register/. Once a contestant is signed up as a ZDI Researcher, the contestant can register for the contest by contacting Sponsor via e-mail at firstname.lastname@example.org and indicating in which category(ies) the contestant wishes to participate. Contest registration closes at 5:00 p.m. Japan Standard Time on November 12th, 2013.
HP is offering more than $300,000 (USD) in cash and prizes during the competition for vulnerabilities and exploitation techniques in the below categories. The first contestant to successfully compromise a target within the selected category will win the prizes for the category. All prizes are in US currency.
** If a contestant successfully compromises Chrome on Android, either on Google Nexus 4 or Samsung Galaxy S4, the prize amount will be bumped by $10k to make it a total of $50,000. There may be additional winners in the Mobile Web Browser category if the contestant is specifically targeting Chrome on Android, either on the Google Nexus 4 or Samsung Galaxy S4.
Along with the prize money, the contestant will win the compromised target (estimated at $2,000) and 20,000 ZDI reward points (estimated at $10,000).
It is possible that a category may have no winner. If a category has no winner, Sponsor may, in its sole discretion, choose to use the prize money from that category to offer additional prize(s) in another category that may be equal to or less than the initial prize offering for such category; so, that category may have additional winners.
Winners are not entitled to the monetary difference between the actual prize value and the stated estimated prize value, if any. The estimated prize value is as of the date of printing of these Contest Rules.
Odds of winning depend on the number of eligible participants in a category and ability to meet the requirements of this skills-based contest. Prizes will be distributed within eight (8) weeks after each winner has fulfilled the requirements set out herein.
Prizes must be accepted as awarded and cannot be transferred, assigned, substituted, or redeemed for cash except at the sole discretion of Sponsor. Any unused portion of a prize will be forfeited and have no cash value. Sponsor reserves the right, in its sole discretion, to substitute a prize of equal or greater value if a prize (or any portion thereof) cannot be awarded for any reason. Taxes on prizes, if any, are the sole responsibility of the winner.
The Sponsor shall not assume any liability for any lost or misdirected prizes.
5. WINNER SELECTION.
If more than one contestant registers for a given category, the order of the contestants will be drawn at random. Based on the contestant order, the first contestant will be given an opportunity to attempt to compromise the selected target. If unsuccessful, the next randomly drawn contestant will be given an opportunity. This will continue until a contestant successfully compromises the target. After a target has been compromised, the contest for that category is over and no other contestants will participate in the contest for that category (unless Sponsor has offered an additional winner option, which would be announced at the conference if applicable). The first contestant to successfully compromise a selected target will win the prize money for that category.
During the contest, a contestant will have a 30-minute time slot in which to complete their attempt (not including time to set up possible network or device prerequisites). A successful attack against these targets must require little or no user interaction. The contestant must demonstrate remote code execution by bypassing sandboxes (if applicable) and exfiltrating sensitive information, silently calling long-distance numbers, or eavesdropping on conversations. To avoid interfering with licensed carrier networks, all RF attacks must be completed within the provided RF isolation enclosure. The vulnerabilities utilized in the attack must be unpublished 0-days.
The targets will be running on the latest, fully patched version of the operating system available on the selected target. All targets will be installed in their default configurations. The vulnerabilities utilized in the attack must be unknown and not previously reported to the vendor. If a sandbox is present, a full sandbox escape is required to win. If the contestant's entry is unable to provide a full sandbox escape and no winner is identified for that category, then the Sponsor may, in its sole discretion, choose to accept the entry(ies) and offer the prize(s) at a value less than the initial prize offering for a given category. A given vulnerability may only be used once across all categories.
Upon successful demonstration of the exploit, the contestant will provide Sponsor a fully functioning exploit plus a whitepaper explaining the vulnerabilities and exploitation techniques used in the attack. In the case that multiple vulnerabilities were exploited to gain code execution, details about all of the vulnerabilities (memory corruption, infoleaks, escalations, etc.) leveraged and the sequence in which they are used must be provided to receive the prizes. The initial vulnerability utilized in the attack must be in the registered category. Sponsor reserves the right to solely determine what constitutes a successful attack. Vulnerabilities and exploit techniques revealed by contest winners will be disclosed to the affected vendors and the proof of concept and whitepaper will become the property of HP in accordance with the HP ZDI program.
6. INDEMNIFICATION BY CONTESTANT.
By entering the Contest, contestant releases and holds Sponsor harmless from any and all liability for any injuries, loss, or damage of any kind to the contestant or any other person, including personal injury, death, or property damage, resulting in whole or in part, directly or indirectly, from acceptance, possession, use, or misuse of any prize, participation in the Contest, any breach of the Contest Rules, or in any prize-related activity. The contestant agrees to fully indemnify Sponsor from any and all claims by third parties relating to the Contest, without limitation.
7. LIMITATION OF LIABILITY.
Contestant acknowledges and agrees that Sponsor assumes no responsibility or liability for any computer, online, software, telephone, hardware, or technical malfunctions that may occur. The Sponsor is not responsible for any incorrect or inaccurate information, whether caused by website users or by any of the equipment or programming associated with or utilized in the Contest or by any technical or human error which may occur in the administration of the Contest. The Sponsor is not responsible for any problems, failures, or technical malfunctions of any telephone network or lines, computer online systems, servers, providers, computer equipment, software, e-mail, players, or browsers, on account of technical problems or traffic congestion on the Internet, at any website, or on account of any combination of the foregoing. The Sponsor is not responsible for any injury or damage to contestant or to any computer related to or resulting from participating or downloading materials in this Contest. Contestant assumes liability for injuries caused or claimed to be caused by participating in the Contest, or by the acceptance, possession, use of, or failure to receive any prize. The Sponsor assumes no responsibility or liability in the event that the Contest cannot be conducted as planned for any reason, including those reasons beyond the control of the Sponsor, such as infection by computer virus, bugs, tampering, unauthorized intervention, fraud, technical failures, or corruption of the administration, security, fairness, integrity, or proper conduct of this Contest.
As a condition of participating in the Contest, each contestant agrees to be bound by these Contest Rules, which will be posted at the Contest Website. Contestant further agrees to be bound by the decisions of the Sponsor, which shall be final and binding in all respects. The Sponsor reserves the right, in its sole discretion, to disqualify any contestant found to be: (a) violating the Contest Rules; (b) tampering or attempting to tamper with the Contest; (c) acting in an unsportsmanlike or disruptive manner, or with intent to annoy, abuse, threaten, or harass any other person. CAUTION: ANY ATTEMPT TO DELIBERATELY UNDERMINE THE LEGITIMATE OPERATION OF THE CONTEST MAY BE A VIOLATION OF CRIMINAL AND CIVIL LAWS. SHOULD SUCH AN ATTEMPT BE MADE, THE SPONSOR RESERVES THE RIGHT TO SEEK REMEDIES AND DAMAGES TO THE FULLEST EXTENT PERMITTED BY LAW, INCLUDING BUT NOT LIMITED TO CRIMINAL PROSECUTION.
9. PRIVACY / USE OF PERSONAL INFORMATION.
By participating in the Contest, contestant: (i) grants to the Sponsor the right to use his/her name, mailing address, telephone number, and e-mail address ("Personal Information") for the purpose of administering the Contest, including but not limited to contacting and announcing the winners; and (ii) acknowledges that the Sponsor may disclose his/her Personal Information to third-party agents and service providers of the Sponsor in connection with any of the activities listed in (i) above.
10. INTELLECTUAL PROPERTY.
All intellectual property, including but not limited to trade-marks, trade names, logos, designs, promotional materials, web pages, source code, drawings, illustrations, slogans, and representations are owned by Sponsor and/or its affiliates. All rights are reserved. Unauthorized copying or use of any copyrighted material or intellectual property without the express written consent of its owner is strictly prohibited.
Sponsor reserves the right, in its sole discretion, to terminate the Contest, in whole or in part, and/or modify, amend, or suspend the Contest, and/or the Contest Rules in any way, at any time, for any reason without prior notice.
These are the official Contest Rules. The Contest is subject to applicable laws and regulations. The Contest Rules are subject to change without notice in order to comply with any applicable laws or the policy of any other entity having jurisdiction over the Sponsor and/or the Contest. All issues and questions concerning the construction, validity, interpretation, and enforceability of the Contest Rules or the rights and obligations as between the contestant and the Sponsor in connection with the Contest shall be governed by and construed in accordance with the laws of Japan including procedural provisions without giving effect to any choice of law or conflict of law rules or provisions that would cause the application of any other jurisdiction's laws.
In the event of any discrepancy or inconsistency between the terms and conditions of the Contest Rules and disclosures or other statements contained in any Contest-related materials, the terms and conditions of the Contest Rules shall prevail, govern, and control.