THE PWN2OWNTM CONTEST ("CONTEST") IS CONDUCTED SOLELY IN ACCORDANCE WITH AND SHALL BE CONSTRUED AND EVALUATED ACCORDING TO APPLICABLE LAW. THE CONTEST IS VOID IN WHOLE OR PART WHERE PROHIBITED BY LAW. ENTRY IN THIS CONTEST CONSTITUTES ACCEPTANCE OF THESE CONTEST RULES (THE "CONTEST RULES"). TREND MICRO INCORPORATED ("TREND MICRO") IS THE SPONSOR OF THIS CONTEST ("SPONSOR").
1. ELIGIBILITY.
Employees of Trend Micro Incorporated, Meta Platforms, Inc., Synology Inc., QNAP Systems, Inc., and their respective affiliates, subsidiaries, related companies, advertising and promotional agencies, and the household members of any of the above are not eligible to participate in the Contest. This Contest is void where prohibited by law.
Contestants must be at the age of majority in their country, province or state of residence at the time of registration in order to participate and may not be a resident of any United States embargoed or sanctioned country or otherwise be listed on any United States denied or barred persons list. Any software or technology that attendees bring or cause to be transferred for purposes of the Contest to the country in which the Contest is held (“Contest Location”) may be subject to the export controls of attendee's country of residence or travel origin or subject to the import and export requirements of the Contest Location. Attendees are responsible for compliance with any applicable import and export controls as a result of their attendance at the Contest.
Sponsor shall have the right at any time to require proof of identity and/or eligibility to participate in the Contest. Failure to provide such proof may result in disqualification. All personal and other information requested by and supplied to the Sponsor for the purpose of the Contest must be truthful, complete, accurate, and in no way misleading. The Sponsor reserves the right, in its sole discretion, to disqualify any contestant should such contestant at any stage supply untruthful, incomplete, inaccurate, or misleading personal details and/or information.
If you are a public sector employee, it is critical that you verify the ethics code, laws, and/or regulations that govern your ability to accept items of value from companies with whom you conduct business. Please obtain the necessary approval from your organization before participating in the Contest and/or accepting any item of value from Sponsor. In addition, public-sector employees, employees of K-12 public and private education institutions and all libraries, including public, private school, college or university, research, and private libraries can participate in the Contest only if you are doing so outside of your official status and not as part of your employment with those entities.
2. CONTEST PERIOD.
The Contest will be held October 21st – 24th , 2025 in Cork, Ireland.
3. HOW TO ENTER.
This Contest is open to all but is subject to the eligibility requirements herein. No purchase is required to participate in the Contest. Contestants must be on-site at the Contest location to demonstrate their entry.
The contestant can register for the contest by contacting Sponsor via e-mail at pwn2own@trendmicro.com and indicating in which categories the contestant wishes to participate.
All contestants must sign up for a Trend Zero Day InitiativeTM ("ZDI") Researcher account in order to participate.
The contestant can register multiple entries for a given category, but each entry must be for a different target in that category (See Section 4 below for categories, targets, and prizes). The contestant can only register once per target. Every entry must be a separate and unique exploit chain. Specific details about the targets (software, versions, configurations, chipsets, etc.) will be communicated to contestants during the registration process. If the contestant represents a company, they must identify which company they represent during the registration process. Each company is limited to one registration. Each contestant may only register once as either an individual, a team or company.
The Sponsor reserves the right to deny registration to entries that do not comply with the rules during the registration process. To complete registration, you must complete the Registration Questionnaire form along with opening a placeholder case and complete a Case Entry form for each target you are registering against. Contest registration closes at 5:00 p.m. Irish Standard Time on Oct 16th, 2025.
4. PRIZES.
Trend Micro is offering cash and prizes during the competition for vulnerabilities and exploitation techniques against the listed targets in the categories below. The first contestant to successfully compromise a target within the selected category will win the prize amount indicated for that specific target. All prizes are in US currency.
Sponsor reserves the right, in its sole discretion, to add or modify the device list if a new version of one of the devices is released, recalled, or reaches end-of-life between the release of the rules and the contest.
Categories and Prizes:
The contest has eight categories consisting of:
Each category has a set of targets that can be selected by the contestant during the registration process. All entries must compromise the target(s) and demonstrate arbitrary code execution or retrieve sensitive information (as defined by the Sponsor during the registration process) from the target(s).
If the contestant's attempt is successful, it might be eligible for an Add-on Bonus. This Add-on Bonus results in additional monetary prizes and Master of Pwn points. The contestant must identify which Add-on Bonus they are attempting during the registration process. It is possible to remove the Add-on bonuses during the attempt as long as the attempt meets the requirements of the original category without the Add-ons. If the Add-on bonus is removed during the attempt, this will impact the potential Master of Pwn points award as defined in the Master of Pwn section below. The eligibility requirements for the various Add-on Bonuses are documented in each category below.
Mobile Phone Category
|
Target |
Vector |
Cash Prize |
Master of Pwn Points |
|
Samsung Galaxy S25 |
Remote |
$50,000 (USD) |
5 |
|
USB |
$25,000 (USD) |
2.5 |
|
|
Google Pixel 9 |
Remote |
$300,000 (USD) |
30 |
|
USB |
$75,000 (USD) |
7.5 |
|
|
Apple iPhone 16 |
Remote |
$300,000 (USD) |
30 |
|
USB |
$75,000 (USD) |
7.5 |
USB-based attacks must target the USB port that is openly exposed to the end user. Any other exposed USB ports and target disassembly are not in scope. The target will remain locked during the attack. The target can be either in “Before First Unlock” state or in “After First Unlock” state when starting the attempt. Spoofing attacks that use synthetic biometric data (fake masks, fingerprints, etc.) are not eligible.
A successful entry for the USB vector must either obtain arbitrary code execution or unlock the target and allow the attacker to further interact with the target in an unrestricted login session.
A successful entry for the Remote vector must compromise the device by browsing to web content in the default browser for the target under test or by communicating with the following radio protocols: near field communication (NFC), Wi-Fi, Bluetooth, or Baseband.
Smart Home Category
An attempt in this category must be launched against the target’s exposed network services, RF attack surface, or exposed features from the contestant’s laptop within the contest network.
|
Target |
Vector |
Cash Prize |
Master of Pwn Points |
|
Amazon Smart Plug |
Remote Code Execution |
$20,000 (USD) |
2 |
|
Philips Hue Bridge |
Remote Code Execution |
$40,000 (USD) |
4 |
|
Home Assistant Green |
Remote Code Execution |
$40,000 (USD) |
4 |
|
Sonos Era 300 |
Remote Code Execution |
$50,000 (USD) |
5 |
Printer Category
An attempt in this category must be launched against the target’s exposed network services from the contestant’s device.
|
Target |
Vector |
Cash Prize |
Master of Pwn Points |
|
HP DeskJet 2827e |
Remote Code Execution |
$20,000 (USD) |
2 |
|
Lexmark CX532adwe |
Remote Code Execution |
$20,000 (USD) |
2 |
|
Canon imageCLASS MF654Cdw |
Remote Code Execution |
$20,000 (USD) |
2 |
|
Brother MFC-J1010DW |
Remote Code Execution |
$20,000 (USD) |
2 |
Network Attached Storage (NAS) Category
An attempt in this category must be launched against the target’s exposed network services, RF attack surface, or from the contestant’s laptop within the contest network. Vulnerabilities in non-default apps/plugins, netatalk and MiniDLNA are out of scope.
|
Target |
Vector |
Cash Prize |
Master of Pwn Points |
|
Synology DiskStation DS925+ |
Remote Code Execution |
$40,000 (USD) |
4 |
|
Synology BeeStation Plus |
Remote Code Execution |
$40,000 (USD) |
4 |
|
Synology ActiveProtect Appliance DP320 |
Remote Code Execution |
$50,000 (USD) |
5 |
|
QNAP TS-453E |
Remote Code Execution |
$40,000 (USD) |
4 |
For the Synology DiskStation target, the following packages will be installed and are in scope for contest:
· Synology MailPlus Server
· Synology Drive Server
· Virtual Machine Manager
· Snapshot Replication
· Surveillance Station
· Synology Photos
· Synology Office
· Synology AI Console
The initial vulnerability utilized in the entry must not be publicly available upstream (e.g., as open-source), except when the logic was vendor-patched specifically for the target product.
Entries requiring ARP spoofing, DNS spoofing, MITM, or any assumptions involving control over external infrastructure are out of scope.
Any unrealistic assumptions (e.g. prior knowledge of internal or user-specific identifiers) are out of scope.
Surveillance Systems Category
An attempt in this category must be launched against the target’s exposed network services, RF attack surface. or exposed features from the contestant’s laptop within the contest network.
|
Vector |
Cash Prize |
Master of Pwn Points |
|
|
Synology CC400W |
Remote Code Execution |
$30,000 (USD) |
3 |
|
Ubiquiti AI Pro |
Remote Code Execution |
$30,000 (USD) |
3 |
|
Wyze Cam Pan v3 |
Remote Code Execution |
$10,000 (USD) |
1 |
Successful entry must target a device that is fully integrated into a surveillance system during normal state of operations with all necessary configurations completed.
The initial vulnerability utilized in the entry must not be publicly available upstream (e.g., as open-source), except when the logic was vendor-patched specifically for the target product.
Entries requiring ARP spoofing, DNS spoofing, MITM, or any assumptions involving control over external infrastructure are out of scope.
Entries that leverage vulnerabilities reachable through images captured with the camera are allowed.
Entries that require physical access or interaction with the target are out of scope.
Any unrealistic assumptions (e.g. prior knowledge of internal or user-specific identifiers) are out of scope.
Messaging Category
All valid entries must use vulnerabilities reachable via WhatsApp and must not depend on other applications. An attempt in this category requires the contestant to compromise the target device and get arbitrary code execution by communicating with the targeted WhatsApp client running on the targeted device.
|
Target |
Options |
Cash Prize |
Master of Pwn Points |
|
|
Zero-Click |
$1,000,000 (USD) |
100 |
|
One-Click |
$500,000 (USD) |
50 |
|
|
Remote Zero-Click Account Take-over |
$150,000 (USD) |
15 |
|
|
Remote Zero-Click Access to Microphone or Video Feed |
$130,000 (USD) |
13 |
|
|
Remote Zero-Click Access to User Sensitive Data |
$130,000 (USD) |
13 |
|
|
Remote One-Click Access to User Sensitive Data |
$130,000 (USD) |
13 |
|
|
Zero-Click Impersonation of Other Users in Chats |
$50,000 (USD) |
5 |
Available
target devices and target WhatsApp clients are documented below:
|
WhatsApp Client |
Target Device |
|
Android Consumer Android Business |
Xiaomi Redmi 13 5G (Snapdragon 4 Gen 2 AE) |
|
Samsung Galaxy S25 |
|
|
Google Pixel 9 |
|
|
iOS Consumer iOS Business |
Apple iPhone 16 |
|
WhatsApp Web |
Microsoft Windows 11 running Google Chrome |
|
Apple macOS 26 running Google Chrome |
|
|
WhatsApp Windows |
Microsoft Windows 11 |
|
WhatsApp macOS |
Apple macOS 26 |
|
WhatsApp on Quest |
Meta Quest 3 / Meta Quest 3S |
|
WhatsApp on WearOS |
Google Pixel Watch 3 |
Zero-Click / One-Click
A Zero-Click entry should require no user interaction in order to trigger the exploit chain. If required, the target device can be pre-staged to be viewing the conversation thread with the attacker.
An One-Click entry may require multiple taps from the victim, but performs one logical action. For example, if upon tapping a media file WhatsApp presents a warning dialog that must be accepted/dismissed to trigger a bug, this is a valid entry requiring two taps but one logical action. A victim accepting a VOIP call and sharing their screen is two or more taps, but at least two logical actions and is not a valid entry. Sponsor reserves the right, in its sole discretion, to determine what is a logical action and will be agreed to with the contestant during the registration process.
Examples of invalid entry include:
· A zero-click information disclosure obtained via SMS from the target device’s default SMS application chained with an RCE vulnerability in WhatsApp.
· A one-click exploit delivered via a media file that must be opened in another application on the target device.
If
required, the contestant is allowed to add the attacker phone number to the
victim’s contacts before attempting their entry. Additionally, a vulnerability
only reachable when viewing a chat thread does not count against the number of
clicks. For example, an exploit chain that is only triggered while viewing a
chat thread will still be considered a zero-click exploit. If that exploit
chain requires interacting with a message, such as tapping on an image or
playing a video, it is considered one-click.
Zero-Click / One-Click Remote Code Execution
An entry targeting the Zero-Click / One-Click Remote Code Execution option must be demonstrated on the WhatsApp Consumer client and are limited to the following target devices:
· Samsung Galaxy S25
· Xiaomi Redmi 13 5G (Snapdragon 4 Gen 2 AE)
· Google Pixel 9
· Apple iPhone 16
A valid remote
code execution entry may target vulnerabilities in any code WhatsApp depends on
that is loaded into its application’s address space, including those provided
by the target platform operating system.
If an exploit chain targets WhatsApp resources (code
or data) and requires an application restart to trigger some part of the
exploit chain, an application restart is permitted in order to trigger the
required condition so long as no further user interaction is required beyond
launching the application again.
All Other Options
An entry targeting the Remote Zero-Click Account
Take-over option, the entry must demonstrate the
ability to receive messages sent to the target device by registering as their
phone without having access to confirmation codes. Social engineering is not
within the scope of the contest.
An entry targeting the Remote Zero-Click Access
to Microphone or Video Feed option, the entry’s
payload must access the raw microphone or video feed of the target device
without any user interaction.
An entry targeting the
Remote Zero or One-Click Access to User Sensitive Data option, the entry must leak the chat history, backup, the user’s exact location or media the
WhatsApp app has access to via a vulnerability in
WhatsApp. Leaking through cloud storage is not in scope.
An entry targeting the Zero-Click Impersonation
of Other Users option, the entry must demonstrate the ability to modify other
user’s messages, or send a message as another user, or the appearance of doing
so. The message must show up on the UI as a separate chat bubble, originating
from the impersonated account. Replies and quoted messages are not in scope.
Wearable Category
An attempt in this category must be launched against the target under test, a Meta Quest 3/3S or Ray-Ban Meta Smart Glasses. A successful attempt against a given target must obtain native code execution on the specified target.
|
Target |
Option |
Vector |
Cash Prize |
Master of Pwn Points |
|
Ray-Ban Meta Smart Glasses |
No Interaction Remote Code Execution |
Remote |
$150,000 (USD) |
15 |
|
Proximity |
$100,000 (USD) |
10 |
||
|
One Interaction Remote Code Execution |
Remote |
$100,000 (USD) |
10 |
|
|
Proximity |
$70,000 (USD) |
7 |
||
|
No Interaction Local Privilege Escalation |
Sensitive Data Access |
$30,000 (USD) |
3 |
|
|
Self Jailbreak |
$30,000 (USD) |
3 |
||
|
Meta Quest 3/3S |
No Interaction Remote Code Execution |
Remote |
$150,000 (USD) |
15 |
|
Proximity |
$100,000 (USD) |
10 |
||
|
One Interaction |
Remote |
$100,000 (USD) |
10 |
|
|
Proximity |
$70,000 (USD) |
7 |
||
|
No Interaction Local Privilege Escalation |
Sandbox Escape |
$40,000 (USD) |
4 |
|
|
Sensitive Data Access |
$30,000 (USD) |
3 |
||
|
Self Jailbreak |
$30,000 (USD) |
3 |
The target device must have gone through initial setup and be using default settings.
For entries in the No / One Interaction Remote Code Execution options:
· “No Interaction” in this option is defined as using Meta’s system and first-party application without any attack specific user action. (e.g. The prerequisite to have Horizon open is not considered as an interaction.). Opening a website and approving to launch a WebXR environment will be accepted under the “One Interaction” option.
·
An attempt through the
Proximity vector must be launched against the target by communicating with the
target through the RF attack surface.
For entries in the No Interaction Local Privilege Escalation options:
· “No Interaction” in this option means the user has opened the attacker’s app/website, but they did not perform any further actions.
· For the Sandbox Escape vector, the app/browser sandbox escape payload must execute arbitrary native code as kernel/root/system user.
· For the Sensitive Data Access vector, the entry must gain unauthorized access to raw camera/microphone feeds or first-party access tokens from the app/browser sandbox.
o If targeting Ray-Ban Meta Glasses, this entry requires a malicious app on the user’s paired (non-rooted) Google Pixel 9 mobile devices to gain unauthorized access to photos, videos or live camera feed from the glasses.
· For the Self Jailbreak vector, the payload must execute arbitrary native code as kernel/root/system user through full user access & available physical interfaces (such as the USB-C port). Disassembling the device is not in scope.
Vulnerabilities which are reproducible in AOSP outside of the Meta Quest and the Ray-Ban Meta Smart Glasses environments are out of scope.
Small Office / Home Office (SOHO) Smash-up Category
An attempt in this category requires the contestant to get arbitrary code execution on two different devices to win the corresponding prize. The attempt must begin by exploiting the WAN side or via RF-based attack of the selected router from the Initial Stage device list. After successfully compromising the router, the attempt must pivot from the LAN side of the router and compromise a selected device from Final Stage device list within the contest network. The contestant is free to select any combination of router and smart home, smart speaker, surveillance system, or network attached storage device during the registration process. The contestant will be able to interact with their entry once during the ten (10) minute attempt window to launch the final stage of their exploit which targets the internal device. A given contestant can only register once for this category. Vulnerabilities in non-default apps/plugins, netatalk and MiniDLNA are out of scope.
|
Target |
Prize Amount |
Master of Pwn Points |
||
|
Initial Stage |
Final Stage |
|||
|
QNAP Qhora-322 MikroTik RB4011iGS+5HacQ2HnD-IN Ubiquiti UniFi Dream Machine Pro Nest Wifi Pro with Wi-Fi 6E |
Amazon Echo Show 15 Google Nest Hub (2nd Gen) Apple HomePod (2nd Gen) Amazon Echo Pop Google Nest Audio Synology DiskStation DS925+ QNAP TS-453E Nest Cam (indoor, wired) Arlo Pro 5S 2K |
$100,000 USD |
10 |
|
Targets in this attempt will be in power-on state at the start of the attempts.
Restrictions and available scoping that are defined in the Smart Home Category, Surveillance Systems Category, and the Network Attached Storage (NAS) Category are applicable to the Small Office / Home Office (SOHO) Smash-up Category.
Master of Pwn:
The contestant with the highest total points at the end of the contest ("Master of Pwn") will receive 65,000 ZDI reward points (estimated at $25,000 (USD)). Total points are calculated by the sum of the successful entries based on the allocated Master of Pwn points in the tables above. For example, if a contestant has a successful remote vector entry on the Google Pixel 9 and a successful remote vector entry in the Apple iPhone 16 then their total points would be 60. If two or more contestants have the same number of points at the end of the contest, each of these contestants will receive 65,000 ZDI reward points (estimated at $25,000 (USD)).
If the contestant decides to remove an Add-on Bonus during their attempt, the Master of Pwn points for that Add-on Bonus will be deducted from the final point total for that attempt. If the contestant decides to withdraw from the registered attempt after the start of the contest, the Master of Pwn points for that attempt will be divided by 2 and deducted from the contestant's point total for the contest.
Along with the prize money, the first-round winner for a given category will win the device (estimated value of $500 (USD)) unless otherwise stated in the Category description in Section 4. Winners of these prizes are not entitled to the difference, if any, between the actual prize value and the estimated prize value. The estimated prize value is as of the date of printing of these Contest Rules.
It is possible that a category may have no winner. If a category has no winner, Sponsor may, in its sole discretion, choose to use the prize money from that category to offer additional prize(s) in another above listed category that may be equal to or less than the initial prize offering for such category. The odds of winning depend on the number of eligible participants in a category and the ability to meet the requirements of this skills-based Contest. Prizes will be distributed within eight (8) weeks after each winner has fulfilled the requirements set out herein.
Prizes must be accepted as awarded and cannot be transferred, assigned, substituted, or redeemed for cash except at the sole discretion of Sponsor. Any unused portion of a prize will be forfeited and has no cash value. Sponsor reserves the right, in its sole discretion, to substitute a prize of equal or greater value if a prize (or any portion thereof) cannot be awarded for any reason. Taxes on prizes, if any, are the sole responsibility of the winner.
Sponsor reserves the right, in its sole discretion, to add or modify the categories if a new version of one of the targets or devices are released, updated, hardened, updated, or recalled between the release of the Contest Rules and the Contest.
The Sponsor shall not assume any liability for any lost or misdirected prizes.
5. WINNER SELECTION.
If more than one contestant registers for a given category, the order of the contestants will be drawn at random. Based on the contestant order, the first contestant will be given an opportunity to attempt to compromise the selected target. If unsuccessful, the next randomly drawn contestant will be given an opportunity. This will continue until a contestant successfully compromises the target using an entry that meets all the requirements of a successful entry defined below. The first contestant to successfully compromise a selected target with a successful entry will win the prize money for that target in the category. After a winner of a target has been determined, the contest for that category is over and no other contestants will participate in the contest for that category (unless Sponsor has offered an additional winner option, which would be announced at the Contest, if applicable).
A successful entry must leverage a vulnerability to modify the standard execution path of a program or process in order to allow the execution of arbitrary instructions. The entry is required to defeat the target's techniques designed to ensure the safe execution of code, such as, but not limited to, Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) and/or application sandboxing. If a sandbox is present, a full sandbox escape is required unless otherwise stated in the Category description in Section 4.
The sensitive information that the exploit must retrieve is defined by the Sponsor and will be information normally inaccessible from the application's sandbox. The exact details of the information to retrieve in the attempt will be communicated to the contestant prior to the contest.
A contestant has up to three (3) attempts to succeed. Each of the three (3) attempts will be individually limited to a time period of ten (10) minutes. For an attempt to be deemed successful, all elements of the attempt must complete within the 10-minute attempt window. All three (3) attempts must be completed within thirty (30) minutes, excluding the time needed to setup the device prior to the attempt. Notwithstanding the foregoing, Sponsor may extend a contestant’s time period, in Sponsor’s discretion. For example, if during an attempt, the contestant experiences any connection issues caused by inaccessible or unavailable networks, servers, Internet Service Providers, or other connections that are outside of contestant’s or Sponsor’s control.
If the attempt to compromise the target is unsuccessful, the execution of all exploit scripts and programs must be terminated. After a failed attempt, the contestant may forgo attempt time window(s) in the remaining 30-minute window to troubleshoot and modify their exploit. During this troubleshoot period, the target may be turned off or disconnected from the contest network.
A successful entry against these targets via a contestant-initiated attempt must require no user interaction beyond the action required to launch the attempt and must occur within the user's session with no reboots, or logoff/logons. For example, having to interact with a dialog in order to successfully complete the exploit or writing a malicious file to the Startup folder is not allowed. attempt is not allowed.
A successful entry against these targets via a contestant-initiated attempt must be fully automated and launched in one command. The contestant is not allowed to interact with the exploit after the attempt has started. For example, manually copying the leaked admin password from the output of the first stage of the exploit, pasting the password as a parameter in the terminal to manually launch a second stage exploit is not allowed. After an attempt has started, the contestant is only allowed to interact with the exploit again to demonstrate execution of arbitrary instructions on the target to the Sponsor. Unless prior agreed to with the Sponsor, any other interactions with the exploit after an attempt has started shall be deemed as declaration of unsuccessful attempt by the contestant.
The initial vulnerability utilized in the entry must be in the registered target. The sandbox escape utilized in the entry must be in the registered target (unless the entry leverages a kernel privilege escalation).
The targets will be running on the latest, fully patched version of the operating system available on the selected target (Apple iOS, Google Android, etc). All targets will be installed in their default configurations and fully operational state when the attempt begins. Sponsor reserves the right, in its sole discretion, to allow non-default configurations if the Sponsor deems them to be in the normal use case of the target under test.
A given vulnerability may only be used once across all categories. The vulnerabilities utilized in the attack must be unknown, unpublished, and/or not previously reported to the vendor or the Sponsor. If the entry leverages a previously known vulnerability, as evidenced by the vendor or Sponsor, Sponsor may, in its sole discretion, choose to accept the entry(ies) and offer the prize(s) at a value less than the initial prize offering for a given category.
If authentication is present, the exploit must occur prior to authentication to the service or include an authentication bypass. If the entry requires a man-in-the-middle attack, ARP spoofing attack, or software downgrade attack, Sponsor may, in its sole discretion, choose to accept the entry(ies) and offer the prize(s) at a value less than the initial prize offering for a given category. Contestants may contact the Sponsor prior to the Contest to obtain a determination regarding prize eligibility for proposed entries that require such techniques.
Sponsor reserves the right to solely determine what constitutes a successful entry. The Sponsor may, in its sole discretion, choose to accept the entry(ies) and offer the prize(s) at a value less than the initial prize offering for a given category if the Sponsor deems that part of the exploit chain fails to meet the above rules. For example, if the entry contains a previously known vulnerability, and the vendor has not yet released a patch, Sponsor may accept the entry(ies) and offer the prize(s) at a value less than the initial prize offering for a given category.
Upon successful demonstration of the exploit, the contestant will immediately provide Sponsor with a fully functioning exploit, a whitepaper and associated artifacts (e.g. PCAP) explaining the vulnerabilities and exploitation techniques used in the entry. In the case that multiple vulnerabilities were exploited to gain code execution, details about all of the vulnerabilities (memory corruption, infoleaks, privilege escalations, etc.) leveraged and the sequence in which they are used must be provided to receive the prizes. Vulnerabilities and exploit techniques revealed by contest winners will be disclosed to the affected vendors and the exploits and whitepapers will become the property of the Sponsor in accordance with the ZDI researcher agreement. Failure to provide a whitepaper will be deemed as an incomplete entry and the entry will be disqualified from the Contest.
6. INDEMNIFICATION BY CONTESTANT.
By entering the Contest, contestant releases and holds Sponsor harmless from any and all liability for any injuries, loss, or damage of any kind to the contestant or any other person, including personal injury, death, or property damage, resulting in whole or in part, directly or indirectly, from acceptance, possession, use, or misuse of any prize, participation in the Contest, any breach of the Contest Rules, or in any prize-related activity. The contestant agrees to fully indemnify Sponsor from any and all claims by third parties relating to the Contest, without limitation.
7. LIMITATION OF LIABILITY.
Contestant acknowledges and agrees that Sponsor assumes no responsibility or liability for any computer, online, software, telephone, hardware, or technical malfunctions that may occur. The Sponsor is not responsible for any incorrect or inaccurate information, whether caused by website users or by any of the equipment or programming associated with or utilized in the Contest or by any technical or human error which may occur in the administration of the Contest. The Sponsor is not responsible for any problems, failures, or technical malfunctions of any telephone network or lines, computer online systems, servers, providers, computer equipment, software, e-mail, players, or browsers, on account of technical problems or traffic congestion on the Internet, at any website, or on account of any combination of the foregoing. The Sponsor is not responsible for any injury or damage to the contestant or to any computer related to or resulting from participating or downloading materials in this Contest. Contestant assumes liability for injuries caused or claimed to be caused by participating in the Contest, or by the acceptance, possession, use of, or failure to receive any prize. The Sponsor assumes no responsibility or liability in the event that the Contest cannot be conducted as planned for any reason, including those reasons beyond the control of the Sponsor, such as infection by computer virus, bugs, tampering, unauthorized intervention, fraud, technical failures, or corruption of the administration, security, fairness, integrity, natural disaster, or proper conduct of this Contest.
8. CONDUCT.
As a condition of participating in the Contest, each contestant agrees to be bound by these Contest Rules and indicates consent as part of the registration process. Contestant further agrees to be bound by the decisions of the Sponsor, which shall be final and binding in all respects. The Sponsor reserves the right, in its sole discretion, to disqualify any contestant found to be: (a) violating the Contest Rules; (b) tampering or attempting to tamper with the Contest or any of the equipment, the Contest website or Contest programming; or (c) acting in an unsportsmanlike or disruptive manner that interferes with any portion of the Contest; or (d) engaging in any form of harassing, offensive, discriminatory, or threatening speech or behavior, including (but not limited to) relating to race, gender, gender identity and expression, national origin, religion, disability, marital status, age, sexual orientation, military or veteran status, or other protected category. CAUTION: ANY ATTEMPT TO DELIBERATELY UNDERMINE THE LEGITIMATE OPERATION OF THE CONTEST MAY BE A VIOLATION OF CRIMINAL AND CIVIL LAWS. SHOULD SUCH AN ATTEMPT BE MADE, THE SPONSOR RESERVES THE RIGHT TO SEEK REMEDIES AND DAMAGES TO THE FULLEST EXTENT PERMITTED BY LAW, INCLUDING BUT NOT LIMITED TO CRIMINAL PROSECUTION.
9. PRIVACY / USE OF PERSONAL INFORMATION.
By participating in the Contest, contestant: (i) grants to the Sponsor the right to use his/her name, likeness, mailing address, telephone number, and e-mail address ("Personal Information") for the purpose of administering the Contest, including but not limited to contacting and announcing the winners; and (ii) acknowledges that the Sponsor may disclose his/her Personal Information to third-party agents and service providers of the Sponsor in connection with any of the activities listed in (i) above.
Sponsor will use the contestant's Personal Information only for identified purposes, and protect the contestant's Personal Information in a manner that is consistent with Sponsor's Privacy Policy at: trendmicro.com/privacy
10. INTELLECTUAL PROPERTY.
All intellectual property, including but not limited to trademarks, trade names, logos, copyrights, designs, promotional materials, web pages, source code, drawings, illustrations, slogans, and representations are owned by Sponsor and/or its affiliates. All rights are reserved. Unauthorized copying or use of any copyrighted material or intellectual property without the express written consent of its owner is strictly prohibited.
11. TERMINATION.
Sponsor reserves the right, in its sole discretion, to terminate the Contest, in whole or in part, and/or modify, amend, or suspend the Contest, and/or the Contest Rules in any way, at any time, or any reason without prior notice.
12. LAW.
These are the official Contest Rules. The Contest is subject to applicable laws and regulations. The Contest Rules are subject to change without notice in order to comply with any applicable laws or the policy of any other entity having jurisdiction over the Sponsor and/or the Contest. All issues and questions concerning the construction, validity, interpretation, and enforceability of the Contest Rules or the rights and obligations as between the contestant and the Sponsor in connection with the Contest shall be governed by and construed in accordance with the laws of Ireland including procedural provisions without giving effect to any choice of law or conflict of law rules or provisions that would cause the application of any other jurisdiction's laws.
13. PRECEDENCE.
In the event of any discrepancy or inconsistency between the terms and conditions of the Contest Rules and disclosures or other statements contained in any Contest-related materials, the terms and conditions of the Contest Rules shall prevail, govern, and control.
© 2025 Trend Micro Incorporated. All rights reserved. PWN2OWN, ZERO DAY INITIATIVE, ZDI and Trend Micro are trademarks or registered trademarks of Trend Micro Incorporated. All other trademarks and trade names are the property of their respective owners.